Description
This article describes the steps to configure multiple VIPs to the same real server, based on the following scenario :
=== port3 10.160.0.110 [ ]
[ FortiGate ] === port6 === Application Server 192.168.182.102
=== port5 10.161.0.111 [ ]
Requirement : Both "external" IP addresses 10.160.0.110 and 10.161.0.111 must be mapped to 192.168.182.102 for the TCP port range 80-443
We assume the VIPs are the same as the FortiGate unit IP addresses, and the administration TCP ports of the FortiGate have already been changed to avoid conflicts.
Please see more details about using VIP in the related article "Technical Tip : Avoid TCP port conflict when using a VIP with same external IP address as the FortiGate"at the end of this page.
Scope
FortiOS firmware version 4.00 MR2
FortiOS firmware version 4.00 MR3
FortiOS firmware version 5.0.x
Solution
CLI based configuration :
config firewall vip
edit "VIP2_port5"
set extip 10.161.0.111
set extintf "port5"
set portforward enable
set mappedip 192.168.182.102
set extport 80
set mappedport 80-443
next
edit "VIP1_port3"
set extip 10.160.0.110
set extintf "port3"
set portforward enable
set mappedip 192.168.182.102
set extport 80
set mappedport 80-443
next
end
config firewall policy
edit 1
set srcintf "port3"
set dstintf "port6"
set srcaddr "all"
set dstaddr "VIP1_port3"
set action accept
set schedule "always" (depends on requirement)
set service "ANY" (depends on requirement)
set nat enable (depends on requirement)
next
edit 2
set srcintf "port5"
set dstintf "port6"
set srcaddr "all"
set dstaddr "VIP2_port5"
set action accept
set schedule "always" (depends on requirement)
set service "ANY" (depends on requirement)
set nat enable (depends on requirement)
next
end
Additional Note : How to change the default administration ports (example of ports that can be used):
config system global
set admin-port 10444
set admin-sport 10443
end
Related Articles
Technical Tip : Changing the administration TCP ports to avoid conflict when using a VIP with same e...
