AWS Fortigate VM DNAT is not working.

Question

Hi guys,

I am not able to pull off a DNAT to access from external internet access to my web service hosted in the server in private subnet managed by fortigate.

I am new into this networking area, could you guys help me out ?

This is what I have been trying.

I am accessing with web browser like http://<FGT-Public-Ip>:3002 and also doing telnet <FGT-Public-Ip> 3002.... both time out.

Traffic is reaching my fortigate, verified with

diagnose sniffer packet port1 'tcp and port 3002' results below:

-----------------------------------------------------------------------------------------------

XXXXXXXX # diagnose sniffer packet port1 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port1]
filters=[tcp and port 3002]
3.351276 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 3472599031
3.351345 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 89282952

Redirects to interface port1 private ip address port 3002

-----------------------------------------------------------------------------------------------

Ran sniffer packet for port2 where it should be forwarded the traffic....

XXXXXXXX # diagnose sniffer packet port2 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port2]
filters=[tcp and port 3002]

Nothing displays here after telnet or http request in browser.

-----------------------------------------------------------------------------------------------

This is my VIP configuration, external ip address is the public ip address (aws elastic ip) of fgt which i will be accessing and which is mapped to phyisical interface fgt port1 10.0.0.10... 10.0.1.27 is the private server in the private subnet.

Screenshot 2024-12-14 at 12.22.23 p.m..png

This below is my Firewall Policy allowing traffic from port1 to the VIP

Screenshot 2024-12-14 at 12.25.03 p.m..png

This below is the TCP/3002 Service... originally i had set up to ALL services, but still did not work.

Screenshot 2024-12-14 at 12.27.13 p.m..png

interfaces

port1 -> 10.0.0.10

port2 -> 10.0.1.10

Subnets

public subnet 10.0.0.0/24 (my fgt vm is placed here)

private subnet 10.0.1.0/24

Resources

Server -> 10.0.1.27 (Placed in 10.0.1.0/24 subnet)

Static route 1:

Destination: 10.0.1.0/24

Gateway IP: 0.0.0.0 (managed by fgt)

Interface: port2

More context:

The service itself is literally a docker with nginx mapped 0.0.0.0:3002 -> ::80

Executed telnet from fortigate cli and works so, service is accessible from fortigate..
XXXXXXXXX # execute telnet 10.0.1.27 3002
Trying 10.0.1.27...
Connected to 10.0.1.27.

I have a SSL-VPN tunnel managed by fgt as 10.0.3.0/24

and successfully I am able to do telnet 10.0.1.27 3002 or even also curl or from the browser http://10.0.1.27:3002

dingjerry_FTNT · Accepted Answer

Hi @OrtizJorge97 ,

Your VIP external IP is x.x.x.101, but when the traffic flow hit the port1, the destination IP is 10.0.0.10. How can it trigger to match the VIP?

You need to set the VIP's external IP to 10.0.0.10 because FGT does not see the x.x.x.101 IP at all.

BTW, in the future, please use verbose 4 for sniffer packet capture or verbose 6 if you need to convert it to a pcap.

AEK · Answer

HiTry use diag debug flow instead of diag sniffer. It should give why traffic is blocked.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded