Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ERSO
New Contributor

Created on ‎03-18-2019 02:53 AM

Dest Port Forwarding with preserve Dest Ip

Hello,

I have been digging all the web, the Online Fortihelp, even the FortiSupport seems to be lost about this simple thing i need :

 

Translating the Destination Port without Translating the Source or Destination IP Address !

Exemple :

TCP-22 --> TCP-2222  For any source IP and 1.1.1.1 dest IP :

Int in :  192.168.1.1 --> 1.1.1.1:22

Int out :  192.168.1.1 --> 1.1.1.1:2222

 

That's all...

 

Everyone (really everyone) on internet whose  approach the research subject of Port Forwading :

" Yes very simple : Virtual IP ! You set your port forwarding with Mapping your IP to another..."

I do not want this... I want to Dest Port Forwarding and preserve the dest Ip.

 

Ofcourse, Fortinet doesn't allow me to do this :

Ext Ip Range : 1.1.1.1 - 1.1.1.1

Mapped IP : 1.1.1.1

 

Or even this (make me getting out with IP 0.0.0.0):

Ext Ip Range : 1.1.1.1 - 1.1.1.1

Mapped IP : 0.0.0.0

 

I have tried this (FortiGate accept...)

Ext Ip Range : 0.0.0.0 - 0.0.0.0  (Though was an "any"...)

Mapped IP :1.1.1.1

but my VIP doesn't get matched into policy... The Policy seems to wait fort an dest IP 0.0.0.0 ()

 

Support told me to active Central Nat ... well, i don't want to fixe the source Port... That's not what i need..

 

I mean... it's not a pb for all other competitor's product i have been working with .. Cisco ASA, Checkpoint, Juniper...

They all offer an simple way to make a DNAT Port without touching the IP@ part...

 

Please, tell me i'm just missing the Fortigate trick for this need... i can't believe that i'm the only one ..

 

Thanks for reading.

 

Fortigate 100E v6.0.4 -0231

Labels:
2913
0 Kudos
2 REPLIES 2
Dave_Hall
Honored Contributor

Created on ‎03-18-2019 01:59 PM

Maybe you want to look into hair-pinning

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
1234
0 Kudos
lobstercreed
Valued Contributor
In response to Dave_Hall

Created on ‎04-04-2019 07:27 AM

I guess it seems unnecessary to me if your intention is not to change the IP. 

 

Just have the user connect on the correct port instead and set your policy to allow the traffic directly to the IP on that port. 

 

We deal with non-standard ports all the time, but I've never needed to translate a standard port to a non-standard one.  And if you do need to, you simply need to use a different IP for it. 

 

Interesting that other vendors let you do this...I used to use a Cisco ASA but never needed anything like this I guess.

1234
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.