Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
5
Helpful
3
Replies

i want to know the reason

jackhunter
Level 1
Level 1

‎08-26-2022 03:43 AM - edited ‎08-26-2022 03:46 AM

I installed FortiGate VM in VMware and cisco csr1000v router also 

I want the FortiGate to access the internet via the router I configured PAT in the router and also I want to access the FortiGate web interface from outside(internet) I configured port forwarding in the router but I can't access it, I just can access it when I delete the PAT config (FortiGate to the internet), why I can access the FortiGate web interface from outside when I delete the PAT and when the PAT installed I can't  ??? 

and this my config :test.png

let fortigate access to internet PAT:

ip nat inside source list 1 interface GigabitEthernet1 overload

access-list 1 permit 192.168.3.0 0.0.0.255

interface GigabitEthernet1
ip address 192.168.1.16 255.255.255.0
ip nat outside

interface GigabitEthernet2
ip address 192.168.3.2 255.255.255.0
ip nat inside

and this port forwarding to access fortigate from outside :

ip nat inside source static tcp 192.168.3.3 80 192.168.1.16 80 extendable

 

 

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎08-26-2022 04:11 AM

ip nat inside source list 1 interface GigabitEthernet1 overload

access-list 1 permit 192.168.3.0 0.0.0.255

instead use route-map and match ip access-list as shown below 

ip nat inside source route-map MHM interface GigabitEthernet1 overload

ip access-list extended 100
permit ip 192.168.3.0 0.0.0.255 any 

jackhunter
Level 1
Level 1
In response to MHM Cisco World

‎08-26-2022 06:20 AM

@MHM Cisco World  thanks fro your response and i want to know why you do that i don't understand your config it's a new cmd to do PAT or what?

0 Helpful

MHM Cisco World
VIP
VIP
In response to jackhunter

‎08-26-2022 07:06 AM - edited ‎08-26-2022 07:07 AM

Why I can access when PAT is apply and why when remove I could not ?
when you initiate traffic from the OUT to FW 
the static NAT will be use for UN_NAT (from global to Local )
the return traffic are it will NAT or PAT ??
the return traffic will PAT, and that why your access is failed, 
then how can I make both PAT and NAT work 
1- first solution as I mention above add route-map instead of List in PAT 
2-second solution is deny the TCP traffic from PAT 
10 access-list 100 deny tcp 192.168.3.0 0.0.0.255 80 any 
20 access-list 100 permit 192.168.3.0 0.0.0.255
!
ip nat inside source list 100 interface GigabitEthernet1 overload

0 Helpful
Customers Also Viewed These Support Documents