Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/24

    Interface

    port1

    Show in Address List

    enabled

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source

    internal-network

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-A
        config firewall policy
            edit 0
                set name VDOM-A-Internet
                set srcintf port1
                set dstintf wan1
                set srcaddr internal-network
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat enable
            next
        end
    next
end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    172.25.177.42/32

    Interface

    port2

    Show in Address List

    enabled

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 172.25.177.42 255.255.255.255
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Routing Table and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source

    all

    Destination

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-B
        config firewall policy
            edit 0
                set name Access-server
                set srcintf wan2
                set dstintf port2
                set srcaddr all
                set dstaddr FTP-server-VIP
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/24

    Interface

    port1

    Show in Address List

    enabled

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source

    internal-network

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-A
        config firewall policy
            edit 0
                set name VDOM-A-Internet
                set srcintf port1
                set dstintf wan1
                set srcaddr internal-network
                set dstaddr all
                set action accept
                set schedule always
                set service ALL
                set nat enable
            next
        end
    next
end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    172.25.177.42/32

    Interface

    port2

    Show in Address List

    enabled

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 172.25.177.42 255.255.255.255
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Routing Table and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source

    all

    Destination

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-B
        config firewall policy
            edit 0
                set name Access-server
                set srcintf wan2
                set dstintf port2
                set srcaddr all
                set dstaddr FTP-server-VIP
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end