Skip to main content
mackdav
mackdav
New Member
May 15, 2014
Question

Can' t Admin over WAN

  • May 15, 2014
  • 4 replies
  • 16357 views
Hi all I have a FortiWiFi 60D (running 5.0.7, but this problem first turned up with the previously run version which was 5.0.4) deployed on a Bell Canada DSL connection. My problem is that while I can access the Virtual IP services I have configured, I can' t access the firewall' s HTTPS or SSH service from outside or ping it from the outside. I' ve deployed a bunch of FortiNet firewalls so this should be simple and I can' t for the life of me figure out why it doesn' t work. - interface has ping, https, and ssh enabled on it - https is set to port 8443 - the admin account has the trusted IPs defined correctly - the admin account works, I can use it when I log in (https or ssh) from the inside Interestingly, traceroute (mtr, actually) can connect to it. Does anyone have any idea what I might have missed?

    4 replies

    Matthew_Mollenhauer
    Matthew_Mollenhauer
    New Member
    May 15, 2014
    Is it possible the ISP is blocking incoming connections to your IP? It' s not something I' d think a business connection would have, but I have seen it a number of times where a customer has brought a consumer plan as it was cheaper. Regards, Matthew
    pchechani_FTNT
    Staff
    pchechani_FTNT
    Staff
    May 16, 2014
    Do you know what error logs fortigate is generating while you tried connected to fortigate from outside. It should provide you some hint.
    AndreaSoliva
    AndreaSoliva
    New Member
    May 16, 2014
    Hi only a hint.....! If you have configured on the FGT a VIP (Incoming NAT) and you configured this VIP with IP only ALL ports will be translated to the internal server this means with only one IP and such a config the FGT is not anymore reachable because as soon as you try to request the IP of FGT used in the VIP all traffic will be translated to internal server configured in the VIP Object. What you can/should do is configure within the VIP Object Port Forward meanign only forward specific port to internal server. If within this port forward a port is used overlapping with the port of Admin FGT you should move the admin port to another one. This means if you have VIP configured with Port Forward 443 and admin HTTPS is on 443 the admin port from outside world is not anymore reachable. Move admin port to 9443 or whatever. only as mentioned a hint hope this helps have fun Andrea
    mackdav
    mackdavAuthor
    New Member
    May 21, 2014
    AndriaSoliva had it correct. I was lazy and defined a VIP with all ports back to the Windows server. Breaking it up into two port-specific VIPs for the two services actually being handled and it starts working again. Thanks!
    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    May 16, 2014
    That was my first idea as well - a VIP defined as the FGT' s WAN IP address. If you can ping it you do not have port forwarding enabled. Theory breaks if you have multiple public addresses in use.
    Terms & ConditionsAccessibility statement