Acessing to Virtual IP from the inside

Forum|Forum|5 years ago
May 25, 2021
1 reply
10238 views

therHi everyone,

I've created a Virtual IP to forward the TCP port 10000 to 80 TCP in a client with the IP 192.168.1.12, so the details are:

0.0.0.0 -> 192.168.1.12 (TCP: 10000 -> 80)

Also I've created a policy so I can access to that host from the outside when I do a request at <office.public.ip>:10000 and does work as expected. I've basically followed this post in the knowledge base.

However, I'm experiencing something unexpected, when I try to access to <office.public.ip>:10000 from another interface (VLAN) I cannot reach the host, just when I try to access from outside (another different internet connection) why is this?

To put you a little more in context ... I'm doing this in my company, so I can reach the host from my home, but not from the office itself. Also ... the ISP gave me a IP to use as a gateway in a static route (which is different than the public IP of the connection in the office) and also I have another different IP/Netmask for the WAN1 interface (also different than the public IP and the IP for the static route). When I try to reach the host by requesting <ip.wan1.interface>:10000 it works as expected, but again, i cannot reach it when I request <office.public.ip>:10000 from the office itself, only works when I do that request from outside.

I know when I'm inside (in the office) I don't need actually to access that host via <office.public.ip> but I'm curious because apparently I should be able to use <office.public.ip>:10000 in the same way than I'm able to use just the private local IP (192.168.1.12).

What do you think? Thank you all.

jorge_americo

New Member

I believe the problem is the rule. does the vlan in question have a rule that allows this access? Keep in mind that your request will go up to the firewall and down again. then the rule must have nat of the interface so that there is no asymmetric routing. show your rules.

jfernandzAuthor

New Member

jorge.americo wrote:
I believe the problem is the rule. does the vlan in question have a rule that allows this access? Keep in mind that your request will go up to the firewall and down again. then the rule must have nat of the interface so that there is no asymmetric routing. show your rules.

These are the policies that could be interfering

+----+----------------------+------------------+-----------+------------+ | Id | Source | Destination | Service | NAT | +----+----------------------+------------------+-----------+------------+ | internal1 -> wan1 | +----+----------------------+------------------+-----------+------------+ | 2 | 172.20.1.0/24 | all | all | enabled | +----+----------------------+------------------+-----------+------------+ | wan1 -> internal1 | +----+----------------------+------------------+-----------+------------+ | 26 | all | created VIP | all | enabled | +----+----------------------+------------------+-----------+------------+

Destination and source are, as you know, address objects, except the created VPI, which is the one I've shown, 0.0.0.0 -> 192.168.1.12 (TCP: 10000 -> 80).

But I don't see any problem with this.

jorge_americo

New Member

# diag debug enable [size="2"]# diagnose debug flow filter saddr x.y.w.z[/size] # diag debug console timestamp enable # diag debug flow show iprope enable # diag debug flow trace start 100 # diag debug enable

where x.y.w.z is the internal ip of the machine you are going to use for testing

use the machine x.y.w.z for teste and show the debug please.

I believe that an internal to internal rule is missing and, if the interface is set on the vip, remove.

see this . https://kb.fortinet.com/k....do?externalID=FD36202

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded