Hot!DNAT for Internal Web Server

Author
johnlee43
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/13 10:29:32
  • Status: offline
2019/06/18 10:12:22 (permalink)
0

DNAT for Internal Web Server

Hello Everyone,
 
I recently installed FG100E with Firmware V6.0.3build0200.
We are hosting Web Server(192.168.1.20) in Internal Network.
When we access the Web Server by URL(http://www.mycompany.com) from the internal network stations, I want to set up FG100E to map the public IP (64.60.158.250) returned by DNS lookup to private Web Server IP(192.168.1.20).
What is the correct way of doing in FG100E?
Can we use Virtual IP without policy?
Or Virtual IP with self directing policy(Internal => Internal) will work ?
#1

8 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 06:15:02 (permalink)
    3 (1)
    If I good understand you don't want to use a private IP address even for the local users, correct?
    You can check this feature:
    https://cookbook.fortinet.com/configure-hair-pinning-fortigate/
     
    #2
    johnlee43
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 10:29:32
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 08:13:32 (permalink)
    0
    Hi hubertzw,
    Thank you for replying to my question.
     
    We are running local network behind firewall with local private IP's.  All outbound traffic source addresses are SNATed to the external interface IP of the firewall.
     
    My question is how FG100E handles the traffic from internal network to the external interface network,  that is, the source address of the packet is the internal address like 192.168.1.x and the destination address is one of the public addresses from the subnet of the external interface like 64.60.158.x/29 including the one assigned to the external interface itself.
     
    Can it smartly find out the destination locally and DNAT implicitly or we need to do DNAT ourselves ?
     
    #3
    hubertzw
    Gold Member
    • Total Posts : 173
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 08:23:17 (permalink)
    3 (1)
    Hi, for the outbound traffic FG keeps session about specific connection including source IP, SNAT usually with unique port, destination, etc. For the returning traffic FG tries to find the existing session and for that one you don't need DNAT. But when you initiate connection from outside (incoming traffic) you need a policy with destination IP of the VIP object (policy NAT) or real (inside) host IP and then mapping in the DNAT table (only with the central NAT settings).
    #4
    emnoc
    Expert Member
    • Total Posts : 5178
    • Scores: 335
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 08:26:15 (permalink)
    5 (1)
    Split-DNS is what you want? So when www.yourdomain.com is mapped to the rfc1918 address on a nslookup from the inside hosts
     
    Ken Felix
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #5
    johnlee43
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 10:29:32
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 11:35:40 (permalink)
    0
    Hi emnoc,
     
    Is that what you call split-DNS?
    From internal network, if the packet destination address is one of the public ip's assigned to external interface subnet, I need that destination address is translated into local ip of local hosted server.
     
    Let's say we have local hosted servers with private ip:
       Web Server : 192.168.1.20
       DB Server : 192.168.1.10
     
    WAN Interface has public ip 75.36.85.249 from WAN subnet 75.36.85.248/29
     
    I defined two VIP's:
       75.36.85.250 => 192.168.1.10
       75.36.85.251 => 192.168.1.20
     
    So from outside traffic into our local servers are correctly managed by Security policy with VIP.
     
    Now from inside local station,  if the client enter "http://www.mycompany.com" on Web browser,  it will get 75.36.85.251 from DNS server.  I want to translate that 75.36.85.251 into 192.168.1.20.  Will it be done automatically if I have VIP defined? Or do I need to do split-DNS?  If I need to do split-DNS,  can you tell me how to?
     
    #6
    Dave Hall
    Expert Member
    • Total Posts : 1423
    • Scores: 156
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 12:24:21 (permalink)
    5 (1)
    Maybe look into dnstranslation
     
    e.g.

    config firewall dnstranslation
        edit 1
            set src 75.36.85.250
            set dst 192.168.1.10
            set netmask 255.255.255.255
        next
        edit 2
            set src 75.36.85.251
            set dst 192.168.1.20
            set netmask 255.255.255.255
        next
    end




    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #7
    brycemd
    Silver Member
    • Total Posts : 68
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/19 12:34:39 (permalink)
    5 (1)
    Either you need to have local DNS entries to resolve the internal IPs, or create a loopback rule.
     
    Source interface LAN, destination interface LAN, and destination object as the VIPs you create.
     
    VIPs are essentially routes, they are active regardless if they are applied to any policies. So you need to allow the traffic to pass.
    #8
    johnlee43
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 10:29:32
    • Status: offline
    Re: DNAT for Internal Web Server 2019/06/21 07:43:51 (permalink)
    0
    Thank you for all supports you provided.
     
    I think DNS Translation function will work for me.
    It should be under Security Profiles=>DNS Filter=>DNS Translation,  but I could not find it on FG100E firmware v6.0.3build0200.  I could not enable it on GUI with Feature Visibility either.
    Is it available with the inspection mode "proxy" only?  If it is,  can we set the inspection mode to "proxy" only for "DNS Filter" profile?  If that function can be set only through CLI,  can you provide me with the scripts?
     
     
    #9
    Jump to:
    © 2019 APG vNext Commercial Version 5.5