Comments on: Fortigate Static NAT Configuration

By: Roel

Roel — Fri, 23 Jul 2010 12:45:21 +0000

Excellent short guide, works like a charm! Thanks!

By: Chris

Chris — Thu, 22 Apr 2010 16:15:16 +0000

@WalkerBoh42 I'm not familiar with the clustering features on the Fortigate units. I am actually in the process of migrating from a single Fortigate 800 to a pair of Juniper SRX240's. @Paul Kuhne On the Fortigate 800 you can add multiple IP addresses to an interface. This is done under the System -> Network -> Interface menu. Once you select the interface you wish to configure (probably External), look for the "Secondary IP Address" option. From there you add the needed IP addresses and choose to enable remote administration (HTTP/HTTPS) on one or more of the IP addresses. Note, this may not be available on the 80c. Using different IPs based on the external service the workstation is attempting to use is a bit tricky. Most likely you will have to get creative with the firewall policies, however you may not be able to accomplish this with the 80c.

By: Paul Kuhne

Paul Kuhne — Wed, 07 Apr 2010 08:07:23 +0000

I have an issue with UPC business; we are using a fortigate 80c. UPC provided us with 4 fixed IP-adresses. However, I could only use 1 on the external interface wan-1, and all mapping with NAT. What I would like to do is use different IP’s for HTTP, FTP-access, Audio-streams, Remote administration. So every use it’s own IP xxx.xxx.xxx.250-254. I can’t get all 4 IP’s been seen on the outside (WAN). Can you help me out ?

By: WalkerBoh42

WalkerBoh42 — Sun, 14 Feb 2010 12:45:02 +0000

Thanks for the reply guys. All working perfectly now.

Next question (might not be the right thread for this). I have setup 4 blades into an ELBC cluster. I need to be able enable RIP. I had RIP working on the HA cluster, but when I changed it to the ELBC it got broken!!

Any suggestions.

Thanks

By: Chris

Chris — Sun, 07 Feb 2010 14:01:06 +0000

@cdm You will want to have a look at port forwarding as well as the one to many NAT feature. I have not played with these features, so I am unsure of they will accomplish your goal.

By: Chris

Chris — Sun, 07 Feb 2010 13:59:55 +0000

@Walkerboh42 Have a look at my Fortigate NAT Overload (PAT) article. You can use the PAT address that is assigned to your external interface for any other traffic that does not need a dedicated IP (such as DNS forwarding). Juts be sure you create a policy that allow DNS queries from your internal server to get to the external DNS servers that you are using. I use this method with our Fortigate and it works well.

By: Walkerboh42

Walkerboh42 — Sun, 07 Feb 2010 11:46:35 +0000

Thanks for the easy to follow steps. I have just one question. How do I configure the VIP for traffic that is initiated inside the private network? DNS for example needs to forward to a server in another network on a natted address.

Thanks

By: cdm

cdm — Tue, 26 Jan 2010 03:00:20 +0000

Not to be late to the party here – but great article – very easy to follow..

My issue is that I am trying to get one WAN address to forward traffic to multiple LAN addresses..

So – 4.2.2.2 will have to ports open 80 and 25.. 80 needs to route to 192.168.0.5 and 25 needs to route to 192.168.0.10..

Thanks in advance..

By: Chris

Chris — Thu, 03 Sep 2009 23:29:30 +0000

@Dfine I'm not near a computer right now, so i can't reference a specific page in the Fortigate Administrators manual. However, there is a way to assign multiple IP addresses to an interface. I believe that is what you will want to do in order to perform NAT for multiple IP ranges. Also, make sure your Fortigate has a route for the other IP range pointing out your external interface.

By: Dfine

Dfine — Thu, 03 Sep 2009 15:57:12 +0000

Hi Chris,

This seems to work fine if I use an ip that is on the same range as my external interface – however I have a need to NAT another range that is routed to my Fortigate by the ISP – and this seems to not work – any ideas ?

(for example if my external is 192.168.1.1/24, I need to NAT 192.168.2.1/24 – this 192.168.2.1/24 is routed to the 192.168.1.1 and I see the traffic hitting the external interface but it never gets forwarded to the inside)

Look forward to your comment.

Thanks in advance.

By: Chris

Chris — Tue, 04 Aug 2009 18:15:08 +0000

@Doc The screen shots used in both articles are from a Fortigate 800 using the "FGT_800-v400-build0099-FORTINET.out" image. From the time stamp of this file on Fortigate's FTP site, this image was uploaded on April of 2009. So at the time I wrote this article, the firmware on the Fortigate was only 2 months old). Thanks for reading my blog!

By: Ramkumar C

Ramkumar C — Fri, 31 Jul 2009 06:42:34 +0000

This is very good guide. Its working for good.thanks a lot

By: Doc

Doc — Fri, 31 Jul 2009 03:18:12 +0000

Would help if you updated your firmware once and a while to get current with the program of options that are current and not 5+ years old!

Get with the program will ya.

5 Years real world experienced, certified Fortigate Specialist.

Doc