It's look like that theinternal-switch-mode
is set as switch¹ (by default). That means that all port on the internal interface are configured as they are only one:
Switch mode combines FortiGate unit interfaces into one switch with
one address. Interface mode gives each internal interface its own
address.²
so, as I understand, if in system global configuration you set: internal-switch-mode interface
, you shall configure each port independently, so you will able to reconfigure port 1 and 2 then disable the other as @David say.
NB Before switching modes, all configuration settings for the interfaces affected by the switch must be set to defaults.²
Ref:
- Fotigate "Interface" command CLI document
- Fotigate "Global config" command CLI document
Yes I understand your scenario and your requirement ..to access resources on remote firewall on port RDP ie 3389 from fortigate 200d connected switch lan users
For your requirement no natting required.
.
Please configure static route in fortigate 200D as below
Ip route 10.48.1.0 255.255.255.0 points towards gateway 10.189.254.17
And for reverse traffic static route in remote n
/W firewall
Ip route 192.168.60.0 255.255.255.0 pointing towards gateway 10.189.254.18
And have a security policies in firewalls allowing traffic
Policy in fortigate 200D
Source interface : interface Port need to mention Destination interface : interface Port need to mention Source address :192.168.60.15/32 Destination address :10.48.1.4/32 Port :tcp-3389 Action : allow Security profiles : on
Now security policy in remote n/w firewall
Source interface : egress interfàe of firewall Destination interface :ingress interface of firewall Source address : 192.168.60.15/32 Destination address :10.48.1.4/32 Port :3389/TCP Action : allowed Security profiles :on
.
Now user of fortigate 200D lan users can access internal hosted server on remote network firewall on port 3389
For futher security if you wants to hide your ips then you can use source natting in fortigate 200D firewalls but to accomplish this you need to configure static route in fortigate 200d with destination as source nat pool pointing.
Towards gateway 192.189.254.17..likewise..
Best Answer
What you are planning to do is called "Destination NAT", and in FortiOS this is done with 'Virtual IPs' (VIPs).
1- create a VIP like this
name: dnat_LAN2_to_LAN1 external interface: LAN2
external IP: 192.168.21.10 (for example)
mapped IP: 192.168.250.23 (for ex.)
port forwarding: not enabled
2- create a policy with
source interface: LAN2
source address: LAN2_subnet
destination interface: LAN1
destination address: dnat_LAN2_to_LAN1
service, schedule: to your liking
NAT: not enabled
You can now ping 192.168.250.23 on LAN1 using the IP 192.168.21.10 on LAN2.
If you want to map several IPs:
- you can create multiple VIPs and put them into a 'VIP group' and use this in a policy, or
- you can define a range of 'external' addresses which are then mapped 1:1 to the 'mapped-to' range
Note that you do not have to translate the LAN1 source addresses to a LAN2 address to completely 'masquerade' it - the VIP will do that automatically, even for traffic originating from LAN1.