Skip to main content
Atothendy
Atothendy
Explorer
January 10, 2023
Question

LMI behind dual NAT not connecting

  • January 10, 2023
  • 2 replies
  • 1562 views

Hi All;

 

I'm hoping for some guidance on a strange situation. We run an FG60E (7.0.7), trunking a few VLANs via unifi switches. (192.168.1.x/24, 10.15.x.x.)

A third party has a Sonicwall inside this network, the WAN on the sonicwall is 192.168.1.x and attaches to our VLAN1 network. The LAN side on the sonicwall is 10.120.x. There's no subnet conflicts.

 

A computer on our 10.15.x address can, reportedly, connect to LogMeIn Connect and establish a connection fine. I don't have visibility to their LMI platform to validate this but I do have control and access to the computer

A computer on the vendor's 10.120.x network can connect to LMI, but cannot actually establish remote control.  I've got control and access to the computer and temporarily have created a LMI trial just so I can observe from my end.

 

What the third party is seeing on the vendor computer(and I can confirm) is that Bomgar, TacticalRMM and LMI are all establishing back-channels, but whenever someone tries to connect for screen sharing, it just times out or generates an error. I also have ScreenConnect and Splashtop on this computer and they connect fine.

 

The vendor is annoyed because "all our networks are the same across 30+ clients, and our upstream partner has the same deployment across hundreds, so what are you doing wrong" (For the record, we work with another similar client and they have the same vendor and it's NOT the same at all)

 

I've turned off all my IDS, Application control and everything else. The firewall rule for outbound traffic is now:

 

 

config firewall policy     edit 1         set name "Default Outbound"         set uuid 80740d4e-0192-51ed-5497-xxxxx         set srcintf "internal" "aaa" "yyyy"         set dstintf "WAN"         set action accept         set srcaddr "all"         set dstaddr "all"         set schedule "always"         set service "ALL"         set tcp-session-without-syn all         set logtraffic all         set nat enable     next end

 

 

 

the "TCP-session-without-syn" I just added today but it makes no difference.

 

I need to double check I'm not doing anything incorrectly on the FG at all. I've got another device to take and test a few alternate configurations tomorrow, but I can't see what i'm doing wrong, if anything here.

 

I got a pcap file from the fortigate and while I haven't done substantial pcap reading in a long time, I did notice lots of dupes, and SYN-ECN-CWR flags. (which is why I tried the session without syn above)

 

I haven't reached out to TAC yet, but that's on my roadmap to do otherwise.

 

I have also, incidently, tried to disable ECN on the endpoint in question (Server 2019)

 

 

 

2 replies

AlexC-FTNT
Staff
AlexC-FTNT
Staff
January 10, 2023

"TCP-session-without-syn" and enabling asymmetric-routing should make no difference.

Make sure you did not 'mistakenly' disabled any session-helper or SIP-ALG.

Then collect the packet capture without any change on the policy. 

Also, a very simple test: try to establish connection from behind the FortiGate directly, not through 2 firewalls. You should be sure where the problem comes from (FG or other firewall)

gfleming
Staff
gfleming
Staff
January 10, 2023

Can they disable NAT on the Sonicwall? Add a route on the FGT for the 10.120.x network pointing to the Sonicwall. See if it works when you disable one layer of NAT.

Terms & ConditionsAccessibility statement