Hot!Problem with External IP on second FG.

Author
filu
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/14 23:52:52
  • Status: offline
2019/07/15 01:53:07 (permalink)
0

Problem with External IP on second FG.

Hello, 
In my network I have FortiGate 100D. In WAN1 i have addres xxx.xxx.xx.101/29. Now I want to install a Fortigate 30e for one of segments my network so I need to configure one of adresses frome class xxx.xxx.xx.101/29 as WAN1 on Fortigate30E. How should I confgure Interfeaces on FG100 and FG30? 
 
In other network where I have to IP classes on WAN interfaces so I can adreess WAN 2 in FG100 and WAN1 on FG30 to diffrent addreses. 
 
In this case when I try address a WAN2 i have conflict with subnet on WAN1. 
 
So i new configuration I will have ISP WAN -> FortiiGate 100D -> FortiGate30D 
#1

6 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6047
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Problem with External IP on second FG. 2019/07/15 02:25:25 (permalink)
    0
    hi,
    and welcome to the forums.
     
    Create a VIP on the 100D for a second public IP (not used on the 100D's WAN interface), and as the 'mapped-to' address you fill in the (private) WAN address of the 30E. You can put the 30E on your LAN, or create a small transfer subnet between an unused port of the 100D and the WAN port of the 30E.
    The VIP will even act as a source NAT for traffic coming from the 30E, no need to worry about that.
     
    To make the VIP effective, you need to use it in a policy on the 100D:
    src intf: WAN
    dst intf: LAN (for example, the port the 30E is connected to)
    src addr: ALL
    dst addr: my_VIP (!)
    no port forwarding
    service: ALL
    no NAT

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    filu
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/14 23:52:52
    • Status: offline
    Re: Problem with External IP on second FG. 2019/07/15 03:17:11 (permalink)
    0
    Thank you for replay. 
    So I should set private ip on un used port on FG 100 for x 10.100.0.1 and 10.100.0.2 for WAN1 on FG 30? 
     
    If i don't have a external IP configured on this F30 may I configure a VPN conection  Site to Site between two FG's ? 
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6047
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Problem with External IP on second FG. 2019/07/15 03:55:52 (permalink)
    0
    Your suggestion for IPs is correct.
     
    EVERYTHING is a bit more difficult if the FGT doesn't face the internet directly. Either try it out, or put the VPN on the 100D. It's more powerful anyway.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    filu
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/14 23:52:52
    • Status: offline
    Re: Problem with External IP on second FG. 2019/07/15 04:04:39 (permalink)
    0
    Ok, thank you suggestion. Now is everyting is clear to me. 
     
    BTW. Is there any way to configure this two FGT to use one of my External IP to "face FG30" directly to internet? Mayby I shoud use some switch before my FG100 ? 
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1647
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: online
    Re: Problem with External IP on second FG. 2019/07/15 09:23:26 (permalink)
    0
    If your ISP has one of /29 IPs as GW, having a switch and connect both FGTs to let them directly talk to the GW is the most common/natural way regardless if it's a FGT or any other FW or router.
    #6
    ede_pfau
    Expert Member
    • Total Posts : 6047
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Problem with External IP on second FG. 2019/07/15 13:17:03 (permalink)
    0
    Agree with Toshi. Why not use a small WAN switch? Way less problems with VPN, FortiGuard etc.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    Jump to:
    © 2019 APG vNext Commercial Version 5.5