Configuring virtual IPs
Firewall Virtual IP
FortiGate Version 4.0 Administration Guide
370
01-400-89802-20090424
Configuring virtual IPs
A virtual IP’s external IP address can be a single IP address or an IP address range, and
is bound to a FortiGate unit interface. When you bind the virtual IP’s external IP address to
a FortiGate unit interface, by default, the network interface responds to ARP requests for
the bound IP address or IP address range. Virtual IPs use proxy ARP, as defined in RFC
1027, so that the FortiGate unit can respond to ARP requests on a network for a server
that is actually installed on another network. To disable ARP replies, see the
.
A virtual IP’s mapped IP address can be a single IP address, or an IP address range.
When the FortiGate unit receives packets matching a firewall policy whose Destination
Address field is a virtual IP, the FortiGate unit applies NAT, replacing the packet’s
destination IP address with the virtual IP’s mapped IP address.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For example, to add a firewall policy that maps public network
addresses to a private network, add an external to internal firewall policy whose
Destination Address field is a virtual IP.
Figure 225: Creating a Virtual IP
Name
Enter or change the name to identify the virtual IP. To avoid confusion,
addresses, address groups, and virtual IPs cannot have the same names.
External Interface
Select the virtual IP external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to
the destination network. You can select any FortiGate interface, VLAN
subinterface, VPN interface, or modem interface.
Type
VIP type is Static NAT, read only.
External IP
Address/Range
Enter the external IP address that you want to map to an address on the
destination network.
To configure a dynamic virtual IP that accepts connections for any IP address,
set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you
can only add one mapped IP address. For a load balance dynamic virtual IP
you can specify a single mapped address or a mapped address range.
Mapped IP
Address/Range
Enter the real IP address on the destination network to which the external IP
address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the FortiGate
unit calculates the external IP address range and adds the IP address range to
the External IP Address/Range field.
This option appears only if Type is Static NAT.
Port Forwarding
Select to perform port address translation (PAT).
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...