Configuring virtual IPs Firewall Virtual IP
FortiGate Version 4.0 MR1 Administration Guide
452 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Configuring virtual IPs
A virtual IP’s external IP address can be a single IP address or an IP address range, and
is bound to a FortiGate unit interface. When you bind the virtual IP’s external IP address to
a FortiGate unit interface, by default, the network interface responds to ARP requests for
the bound IP address or IP address range. Virtual IPs use proxy ARP, as defined in RFC
1027, so that the FortiGate unit can respond to ARP requests on a network for a server
that is actually installed on another network. To disable ARP replies, see the FortiGate CLI
Reference.
A virtual IP’s mapped IP address can be a single IP address, or an IP address range.
When the FortiGate unit receives packets matching a firewall policy whose Destination
Address field is a virtual IP, the FortiGate unit applies NAT, replacing the packet’s
destination IP address with the virtual IP’s mapped IP address.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For example, to add a firewall policy that maps public network
addresses to a private network, add an external to internal firewall policy whose
Destination Address field is a virtual IP.
Figure 251: Creating a Virtual IP
Name Enter or change the name to identify the virtual IP. To avoid confusion,
addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to
the destination network. You can select any FortiGate interface, VLAN
subinterface, VPN interface, or modem interface.
Type VIP type is Static NAT, read only.
External IP
Address/Range
Enter the external IP address that you want to map to an address on the
destination network.
To configure a dynamic virtual IP that accepts connections for any IP address,
set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you
can only add one mapped IP address. For a load balance dynamic virtual IP
you can specify a single mapped address or a mapped address range.
Mapped IP
Address/Range
Enter the real IP address on the destination network to which the external IP
address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the FortiGate
unit calculates the external IP address range and adds the IP address range to
the External IP Address/Range field.
This option appears only if Type is Static NAT.
Port Forwarding Select to perform port address translation (PAT).
To Next Page
Loading...
Need help?
General