Fortigate NAT DMZ

FG NAT

To create outside NAT in the DMZ, first make sure you have configured the policy and NAT for LAN users to access the internet.

config firewall policy
 edit 1
  set srcintf "port3"
  set dstintf "port1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set nat enable
end

When it’s done, create the Virtual IP to forward from public IP to private IP of the server and the policy from WAN to DMZ. Let’s say you want to forward 203.123.45.6 to 172.16.0.10:

config firewall vip
 edit "NAT-Webserver"
  set extip 203.123.45.6
  set extintf "any"
  set mappedip 172.16.0.10
end
config firewall policy
 edit 2
  set srcintf "port1"
  set dstintf "port2"
  set srcaddr "all"
  set dstaddr "NAT-Webserver"
  set action accept
  set schedule "always"
  set service "ALL"
end

In some cases, if the IP public is attached to a domain for a web server, you then won’t be able to access it from LAN because the NATs overlapping, unless you access it by its private IP.

You need to configure a new policy for the LAN users to be able to access the public IP:

config firewall policy
 edit 3
  set srcintf "port3"
  set dstintf "port2"
  set srcaddr "all"
  set dstaddr "NAT-Webserver"
  set action accept
  set schedule "always"
  set service "ALL"
end

That’s it! Now the LAN users are able to access the web server in the DMZ by its public IP.

*The traffic is actually not forwarded to internet because Fortigate will forward it between interfaces.

*If the web server is behind the same interface as the internal network, you need to create a similar policy as above with the same incoming and outgoing interface.

 

Share on FacebookShare on Google+Share on LinkedInPin on PinterestTweet about this on TwitterShare on TumblrShare on RedditPrint this pageEmail this to someone

Leave a Reply