Accessing VIP from internal network

Forum|Forum|10 years ago
April 1, 2016
2 replies
20374 views

Hi everyone. We have an FG200B and I am trying to set up an internal server that can be accessed by a VIP from inside or outside the network. I can access it fine using the local address internally or the VIP externally.

I followed the KB article below and set the VIP to any interface, however it is still not working.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD33976

Any ideas? Do I need to set up Policy Based Routing as well?

Thanks,

RK

ujemvi

New Member

You have to issue the command "set match-vip enable" on the firewall policy.

omega

New Member

I don't know about the match-vip command, but we had to use policy routes to get this to work.

And of course matching Allow rules and the vip listening to any.

echo

Explorer II

Hello! The thing you want to do is also called NAT-hairpinning. Some routers use this automatically but some don't and FortiGate is one such.

I would personally use policy routes as last resort.

But I have always got such thing working when I create two rules: 1. from untrust to trust (that is, from internet to server's network) and 2. from trust to trust where the destination is that vip that was created, not internal address (that works anyway).

Milaan

New Member

You not only have to change the Interface of the VIP to any. You also have to create a policy, for example:

source-interface: internal

source-address: any

destination-interface: internal

destination-address: VIP-object

service: any

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded