Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/24

    Interface

    port1

    Show in Address List

    enabled

To add the firewall addresses with the CLI:

config vdom

edit VDOM-A

config firewall address

edit internal-network

set associated-interface port1

set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10

To add a default route with the CLI:

config vdom

edit VDOM-A

config router static

edit 0

set gateway 172.20.201.7

set device wan1

next

end

next

end

To add the security policy in the GUI:
  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source Address

    internal-network

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled

To add the security policy with the CLI:

config vdom

edit VDOM-A

config firewall policy

edit 0

set name VDOM-A-Internet

set srcintf port1

set dstintf wan1

set srcaddr internal-network

set dstaddr all

set action accept

set schedule always

set service ALL

set nat enable

next

end

next

end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    172.25.177.42/32

    Interface

    port2

    Show in Address List

    enabled

To add the firewall addresses with the CLI:

config vdom

edit VDOM-B

config firewall address

edit FTP-server

set associated-interface port2

set subnet 172.25.177.42 255.255.255.255

next

end

next

end

To add a default route in the GUI:
  1. Go to Network > Routing Table and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

To add a default route with the CLI:

config vdom

edit VDOM-B

config router static

edit 0

set gateway 172.20.10.10

next

end

next

end

To add the security policy in the GUI:
  1. Connect to VDOM-B.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source Address

    all

    Destination Address

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

To add the security policy with the CLI:

config vdom

edit VDOM-B

config firewall policy

edit 0

set name Access-server

set srcintf wan2

set dstintf port2

set srcaddr all

set dstaddr FTP-server-VIP

set action accept

set schedule always

set service FTP

next

end

next

end

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/24

    Interface

    port1

    Show in Address List

    enabled

To add the firewall addresses with the CLI:

config vdom

edit VDOM-A

config firewall address

edit internal-network

set associated-interface port1

set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10

To add a default route with the CLI:

config vdom

edit VDOM-A

config router static

edit 0

set gateway 172.20.201.7

set device wan1

next

end

next

end

To add the security policy in the GUI:
  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source Address

    internal-network

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled

To add the security policy with the CLI:

config vdom

edit VDOM-A

config firewall policy

edit 0

set name VDOM-A-Internet

set srcintf port1

set dstintf wan1

set srcaddr internal-network

set dstaddr all

set action accept

set schedule always

set service ALL

set nat enable

next

end

next

end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    172.25.177.42/32

    Interface

    port2

    Show in Address List

    enabled

To add the firewall addresses with the CLI:

config vdom

edit VDOM-B

config firewall address

edit FTP-server

set associated-interface port2

set subnet 172.25.177.42 255.255.255.255

next

end

next

end

To add a default route in the GUI:
  1. Go to Network > Routing Table and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

To add a default route with the CLI:

config vdom

edit VDOM-B

config router static

edit 0

set gateway 172.20.10.10

next

end

next

end

To add the security policy in the GUI:
  1. Connect to VDOM-B.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source Address

    all

    Destination Address

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

To add the security policy with the CLI:

config vdom

edit VDOM-B

config firewall policy

edit 0

set name Access-server

set srcintf wan2

set dstintf port2

set srcaddr all

set dstaddr FTP-server-VIP

set action accept

set schedule always

set service FTP

next

end

next

end