NAT + Hairpin-NAT for Virtual Server

Forum|Forum|7 years ago
April 18, 2019
1 reply
3181 views

Hi!

I need to migrate from an UTM-System to a Fortigate where the old system is acting as an SMTP-server.

What I want to accomplish is:

- Install new MTA with IP x.x.x.x

- If on ANY internal interface of the fortigate, a connection is coming in with destination: FG-IP:25, forward to MTA

What I tried is using a Virtual-IP:

config firewall vip
    edit "Hairpin-VIP"
        set uuid 27ae0c6e-61a9-51e9-d09b-4712492d2507
        set extintf "lan"
        set portforward enable
        set mappedip "x.x.x.x"
        set extport 25
        set mappedport 25
    next
end
config firewall policy
    edit 15
        set name "Hairpin-Policy"
        set uuid 540b72ec-61a9-51e9-06fb-876ebf0b8ac1
        set srcintf "lan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end

...without success...

Can you give me a hint on how to solve this?

Thank you

KPS

KPSAuthor

New Member

Hi!

I just found the problem:

ANY-policies do not cover virtual-services.

The "hairpin-policy" need to target to the service "Hairpin-VIP"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded