Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fgallardo
New Contributor

Natting not working. Reply not being recevied on remote Server

 

Version: Version: FortiGate-100E v6.0.2,build0163,180725 (GA)

We have a problem with a simple NAT creation. If you can point to a proper resource for that that would be great. I searched on the internet and Fortinet web but I could find a guide that works.

 

=>General description: There is an internal network that get internet access via the Fortinet. NAT is necessary.

=>Problem: The external connections get to the internal machines, but the reply is never routed to the DMZ interface, where the internet connection is connected to and from where the internet requests get to the internal network (again, the requests from the outside would get into the network, the reply is never routed back (and those are getting to the FW the problem is the FW is not getting those out)).

 

=> Followed process:

[ol]
  • Interfaces properly configured.
  • Static route (In network-> Static routes) was created, to the gateway of the network where the DMZ port is connected. Destination: 0.0.0.0/0 Gateway: The IP of the gateway. The Interface was automatically and properly picked by the FW.  
  • The public IP of the server that is allowed to connect to the platform was created (Policy & Objects -> Addresses).
  • Two Virtual IPs were created. One with public server IP to the internal server and another from the IP of DMZ port to the internal server (in Policy & Objects -> IPv4 Policy). Then a IPv4 Virtual IP Group was created, including the two virtual IPs.[ol]
  • Each of the Virtual IPs has Port Forwarding allowed with the needed ports.[/ol]
  • Two policies (Policy & Objects -> IPv4 Policy) were created: One for allowing the traffic from DMZ to LAN, for the public server IP to the Virtual IPs group and another one allowing any traffic from LAN to the DMZ.[ol][ol]
  • Each of the policies has NAT enabled with “Use outgoing Interface Address” option.[/ol][/ol][/ol]

    The problem is, when trying to access from the Internet server, the traffic is received in the internal server, in the expected port, so NAT from the internet is working as expected. Then the internal server replies and the reply gets to the FW, but the FW never sends the reply back to the internet via the DMZ port.  What am I missing?

     

    Thanks a lot

    BR

  • 1 REPLY 1
    Dave_Hall
    Honored Contributor

    If you have "public servers" with public IP addresses that are mapped to an internal IP address(es) behind the fgt firewall, the, you likely need to set up a VIP in the opposite direction, using a one-to-one IP pool. 

     

    Very base example....

    ------------------------- config firewall address     edit "internal-server"         set subnet 192.168.0.xx 255.255.255.255     next end ------------------------- config firewall ippool     edit "ServerIP-pool"         set type one-to-one         set startip 204.199.90.xx         set endip 204.199.90.xx     next end ------------------------- config firewall vip     edit "VIP-to-internal-server"         set extip 204.199.90.xx         set extintf "wan1"         set mappedip "192.168.0.xx"     next end ------------------------- config firewall policy     edit 0         set srcintf "internal_net"         set dstintf "wan1"         set srcaddr "internal-server"         set dstaddr "All_External"         set action accept         set schedule "always"         set service "ALL"         set ippool enable         set poolname "ServerIP-pool"         set nat enable     next     edit 0         set srcintf "wan1"         set dstintf "internal_net"         set srcaddr "All_External"         set dstaddr "VIP-to-internal-server"         set action accept         set schedule "always"         set service "Web Access"         set nat enable     next end -------------------------

    Take extra security precautions (like applying IPS or other UTM features) to safeguard your "public" servers if they are housed behind your fgt.  

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    Labels
    Top Kudoed Authors