AnsweredHot!Make internal Web Server accessible to outside using WAN with NAT (private IP)

Author
papapuff
Silver Member
  • Total Posts : 102
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/05/24 20:31:44
  • Status: offline
2018/12/07 00:38:57 (permalink)
0

Make internal Web Server accessible to outside using WAN with NAT (private IP)

hi there,
 
need advice and guidance.
I've created virtual Ip and its grup.
and already make DDNS for my WAN connection.
policy also already create it.
 
I try to enter web address (ddns ID I've registered), but page not found.
 
Am I missing something?
 
my internet connection is behind NAT.
 
thank you.
#1
lobstercreed
Bronze Member
  • Total Posts : 33
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Make internal Web Server accessible to outside using WAN with NAT (private IP) 2018/12/07 01:04:27 (permalink) ☼ Best Answerby papapuff 2018/12/09 23:10:11
0
I'm afraid you're missing the point from the other thread.  It is impossible to route across the Internet to a private IP address.  There are millions of networks that use the same private addressing, so how could the routers of the Internet know where to deliver that particular traffic?  They can't, and by design they drop that traffic (RFC 1918). 
 
You HAVE to have a public IP address if you want to be able to remotely access anything (SSL VPN, IPSEC VPN, DDNS, etc).  If your ISP won't give you a public IP, maybe they can port-forward for you as I described on your other post.  That's the only way it can work....fundamentals of the Internet here.  
#2
ede_pfau
Expert Member
  • Total Posts : 5751
  • Scores: 397
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Make internal Web Server accessible to outside using WAN with NAT (private IP) 2018/12/07 05:36:15 (permalink) ☄ Helpfulby papapuff 2018/12/09 23:08:43
0
Just in case you DO get a public address but just not on the WAN port of the FGT...
Then it would matter how the internet router hands down traffic to the FGT. Most preferably it would be called "exposed host" or such, effectively forwarding all traffic to the FGT's WAN port. You would then use a VIP on the WAN interface to NAT traffic to an internal target.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#3
papapuff
Silver Member
  • Total Posts : 102
  • Scores: 0
  • Reward points: 0
  • Joined: 2012/05/24 20:31:44
  • Status: offline
Re: Make internal Web Server accessible to outside using WAN with NAT (private IP) 2018/12/09 23:08:30 (permalink)
0
hi there,
 
thanks for answers.
 
I've asked, provider not possible to forward the port. And yes Ede_pfau, got you mean, thanks for reminder.
 
well, so there is no way to publish internal web server where there is no public address. I though setting "use ip public" on menu DNS, fortigate somehow can convert private ip to public IP
 
thanks all for help.
#4
Dave Hall
Expert Member
  • Total Posts : 1289
  • Scores: 126
  • Reward points: 0
  • Joined: 2012/05/11 07:55:58
  • Location: Canada
  • Status: offline
Re: Make internal Web Server accessible to outside using WAN with NAT (private IP) 2018/12/10 10:10:33 (permalink)
0
@Pengguna
 
Re your original post - setting up DDNS requires you register with a DDNS provider and possiblably setting up DNS records too.  I like using fortinet's own ddns service as it seems to be automatic (when using a fgt device).  eg.
 
config system ddns
edit 1
set ddns-server FortiGuardDDNS
set ddns-domain "server-hostname.fortiddns.com"
set monitor-interface "wan1"
next
end
 
Things to keep in mind is it takes time for DNS records to propagate, so I suggest using an online ping service to test the FQDN resolves to your current IP.
 
And if your web server is going to be behind your fgt device you will need to change the default port access to your fgt device (e.g. port 80 and/or port 443) then set up port forwards on the WAN interface -> internal static IP:80 (or internal static IP:443) if you want to use standard HTTP/HTTPS web port access. 
 
Admin Port access is done via
 
system global
admin-port <port_number>
admin-sport <port_number>
end

Personally, if you are going to expose an internal web server in such a manner, I advise putting the web server in a DMZ zone and think hard about what other security or UTM measures to put in place. 

NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
#5
Jump to:
© 2018 APG vNext Commercial Version 5.5