Fortigate behind NAT
Shadow Hawkins on Thursday, 13 December 2012 12:28:19
Hello,
I've got a Fortigate 60C, which is behind NAT. I've seen the Fortigate wiki, but that doesn't specify what kind of tunnel it needs. The fortigate isn't 24/7 up, and can be down for a couple of days. The Static IPv4 Endpoint doesn't seem like an option, since it requires port-forwarding. (I cannot do that, since that the NAT is managed by someone else). Does someone know what kind of tunnel it needs, so that it can run behind nat non-24/7?
With kind regards,
Wouter
Fortigate behind NAT
Jeroen Massar on Thursday, 13 December 2012 12:33:06
Looks a lot like only standard static proto-41 tunnels.
You then of course have the option to run an AICCU/heartbeat client on a host behind the Fortigate and only let that client send out the heartbeats.
But as you are behind a NAT you would require protocol-forwarding (typically dubbed DMZ mode) to make this work.
I cannot do that, since that the NAT is managed by someone else
If you have no control over the NAT then your only real way is AYIYA.
As the NAT is controlled by someone else though it is likely their network and you should ask them if you are allowed to make a tunnel.
As a side-note, running a firewall box behind a NAT is not extremely useful IMHO ;)
Fortigate behind NAT
Shadow Hawkins on Thursday, 13 December 2012 12:50:02 As a side-note, running a firewall box behind a NAT is not extremely useful IMHO ;)
Haha, but the firewall does have other purposes besides running behind this NAT. ;)
I've requested an AYIYA tunnel, so that should (hopefully) be running soon. Thank you for your time and explanation
Fortigate behind NAT
Shadow Hawkins on Friday, 25 January 2013 22:00:44
It's using a standard SIT tunnel if you configure the Fortigate. I have it working with Hurricane Electric and it's the exact same thing with Sixxs. Right now, I downloaded the AICCU client for Linux and have it running behind my firewall. Once I have enough credits, I'll move the tunnel to a static one and create new SIT tunnel. You don't really need to fool around with NAT. When you create the SIT tunnel, it will appear as a new network interface and you can then route IPv6 traffic through that interface as your default gateway.
The only thing stopping me from doing it right now is I don't have enough credits to create a static tunnel. Once I do, I'll be using the Fortigate as the endpoint.
Fortigate behind NAT
Jeroen Massar on Sunday, 27 January 2013 17:31:21 I don't have enough credits to create a static tunnel.
You can change tunnel types in the webinterface, just click on the icon in the list in your user home.
Fortigate behind NAT
Shadow Hawkins on Friday, 01 February 2013 23:58:54
I was under the impression that it required credits to do such a thing. When I go to the tunnel interface screen, the following shows up:
"Changing tunnel type or endpoint costs credits"
Seeing as I'm using AYIYA, I figured that would be changing tunnel type but I'm not familiar enough with SixXS to know its idiosyncrasies.
As for the Fortigate, I'm running 3 of them at the house (60A,60B,60C on 3.0MR7Patch 10, 4.0MR3 Patch 11, and 5.0 Patch 1 (special build). All of them run IPv6 and support IPv6 over IPv4 using SIT. Though there's a lot of IPv6 features not included in the 3.0 version of FortiOS.
Fortigate behind NAT
Jeroen Massar on Tuesday, 07 May 2013 15:00:17
That is costs credits does not mean that you can't perform the action. This is all detailed in the FAQ.
Posting is only allowed when you are logged in. |