Firewall Virtual IP Configuring virtual IPs
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 259
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to three individual web servers on the DMZ network. In our example the
external interface of the FortiGate unit is connected to the Internet and the dmz1
interface is connected to the DMZ network.
Figure 153:Virtual IP options; static NAT virtual IP with an IP address range
4 Select OK.
To add a static NAT virtual IP with an IP address range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users
on the Internet attempt to connect to the server IP addresses, packets pass
through the FortiGate unit from the external interface to the dmz1 interface. The
virtual IP translates the destination addresses of these packets from the external
IP to the DMZ network IP addresses of the servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
3 Select NAT.
4 Select OK.
Name static_NAT_range
External Interface external
Type Static NAT
External IP Address/Range The Internet IP address range of the web servers.
The external IP addresses must be static IP addresses
obtained from your ISP for your web server. These
addresses must be unique IP addresses that are not used by
another host and cannot be the same as the IP addresses of
the external interface the virtual IP will be using. However,
the external IP addresses must be routed to the selected
interface. The virtual IP addresses and the external IP
address can be on different subnets. When you add the
virtual IP, the external interface responds to ARP requests
for the external IP addresses.
Map to IP/IP Range The IP address range of the servers on the internal network.
Define the range by entering the first address of the range in
the first field and the last address of the range in the second
field.
Source Interface/Zone external
Source Address Name All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address Name static_NAT_range
Schedule always
Service HTTP
Action ACCEPT
To Next Page
Loading...
Need help?
General