Skip to main content
Alex_Ki
Alex_Ki
New Member
April 10, 2020
Question

NAT/ip policy Problems

  • April 10, 2020
  • 3 replies
  • 4051 views

First of all - excuse me for my English,  it's not my first language.

 

Hey guys, a total fortigate noob here, inherited FG from the guy who was working here before me, lots of IP Policy rules and other stuff.

 

I need to NAT 9443->443 from a certain external ip address to a web-server inside, but (I think) traffic keeps hitting wrong IPV4 policy.

 

Here's my VIP config for this:

    edit "NAT to lkbitrix"
        set uuid a685993c-79a2-51ea-8d95-fac7819934af
        set extip <EXTIP>
        set extintf "port1"
        set portforward enable
        set color 9
        set mappedip "192.168.131.7"
        set extport 9443
        set mappedport 443

 

Here are my ip policies i created for that rule:

 edit 142
        set name "SWEB05-NAT-Internet"
        set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816
        set srcintf "port5"
        set dstintf "port1"
        set srcaddr "KAM-SWEB05"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 141
        set name "A-Internet-SWEB05"
        set uuid c3c5364a-7b07-51ea-6e98-064652b0f36e
        set srcintf "port1"
        set dstintf "port5"
        set srcaddr "all"
        set dstaddr "KAM-SWEB05"
        set action accept
        set schedule "always"
        set service "ALL"
    next

please note that i'm not putting any port/protocols here because i was troubleshooting the rules. I will put specific ports once we go live with this.

 

Now, what happens I think happens is is that traffic gets redirected to port 443 of the EXTIP, on which another service exists.

Here's debug:

192.168.131.7 is the web-server i need to publish

192.168.131.1 is the web-server published on port 443

2020-04-10 12:33:51 id=20085 trace_id=1 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7ae"
2020-04-10 12:33:51 id=20085 trace_id=1 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=1 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:51 id=20085 trace_id=2 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag , seq 1457575988, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=2 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7af"
2020-04-10 12:33:51 id=20085 trace_id=2 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=2 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:51 id=20085 trace_id=3 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag , seq 3828400667, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=3 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7b0"
2020-04-10 12:33:51 id=20085 trace_id=3 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:33:51 id=20085 trace_id=3 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=3 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:33:51 id=20085 trace_id=3 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:33:51 id=20085 trace_id=3 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=4 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828400668, ack 2004987952, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=4 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=4 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=5 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828400668, ack 2004987952, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=5 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=5 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=6 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401185, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=6 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=6 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=7 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401185, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=7 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=7 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=8 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [F.], seq 3828401192, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=8 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=8 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=9 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401193, ack 2004990462, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=9 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=9 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=10 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag , seq 2668994186, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=10 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7b9"
2020-04-10 12:33:51 id=20085 trace_id=10 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=10 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=11 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag , seq 1457575988, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=11 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7ff"
2020-04-10 12:33:54 id=20085 trace_id=11 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=11 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=12 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52909-><EXTIP>:9443) from port1. flag , seq 605093863, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=12 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd800"
2020-04-10 12:33:54 id=20085 trace_id=12 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=12 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=13 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag , seq 2668994186, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=13 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd802"
2020-04-10 12:33:54 id=20085 trace_id=13 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=13 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=14 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag , seq 1457575988, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=14 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd890"
2020-04-10 12:34:00 id=20085 trace_id=14 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=14 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=15 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52909-><EXTIP>:9443) from port1. flag , seq 605093863, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=15 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd891"
2020-04-10 12:34:00 id=20085 trace_id=15 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=15 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=16 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag , seq 2668994186, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=16 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd899"
2020-04-10 12:34:00 id=20085 trace_id=16 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=16 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:12 id=20085 trace_id=17 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag , seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:12 id=20085 trace_id=17 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd9a1"
2020-04-10 12:34:12 id=20085 trace_id=17 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:12 id=20085 trace_id=17 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:12 id=20085 trace_id=18 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag , seq 1420091637, ack 0, win 8192"
2020-04-10 12:34:12 id=20085 trace_id=18 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd9a2"
2020-04-10 12:34:12 id=20085 trace_id=18 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:34:12 id=20085 trace_id=18 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=18 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:34:12 id=20085 trace_id=18 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:34:12 id=20085 trace_id=18 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=19 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420091638, ack 824278912, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=19 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=19 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=20 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420091638, ack 824278912, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=20 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=20 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=21 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092155, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=21 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=21 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=21 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=22 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092155, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=22 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=22 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=23 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [F.], seq 1420092162, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=23 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=23 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=23 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=24 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092163, ack 824281422, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=24 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=24 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=24 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:15 id=20085 trace_id=25 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag , seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:15 id=20085 trace_id=25 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda40"
2020-04-10 12:34:15 id=20085 trace_id=25 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:15 id=20085 trace_id=25 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:17 id=20085 trace_id=26 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag , seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:17 id=20085 trace_id=26 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda84"
2020-04-10 12:34:17 id=20085 trace_id=26 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:17 id=20085 trace_id=26 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:17 id=20085 trace_id=27 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag , seq 3545820219, ack 0, win 8192"
2020-04-10 12:34:17 id=20085 trace_id=27 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda85"
2020-04-10 12:34:17 id=20085 trace_id=27 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:34:17 id=20085 trace_id=27 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=27 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:34:17 id=20085 trace_id=27 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:34:17 id=20085 trace_id=27 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=28 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820220, ack 2191388383, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=28 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=28 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=28 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=29 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820220, ack 2191388383, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=29 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=29 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=29 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=30 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820737, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=30 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=30 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=30 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=31 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820737, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=31 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=31 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=31 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=32 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [F.], seq 3545820744, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=32 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=32 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=32 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=33 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820745, ack 2191390893, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=33 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=33 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=33 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:20 id=20085 trace_id=34 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag , seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:20 id=20085 trace_id=34 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdac4"
2020-04-10 12:34:20 id=20085 trace_id=34 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:20 id=20085 trace_id=34 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:21 id=20085 trace_id=35 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag , seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:21 id=20085 trace_id=35 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdadd"
2020-04-10 12:34:21 id=20085 trace_id=35 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:21 id=20085 trace_id=35 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:26 id=20085 trace_id=36 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag , seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:26 id=20085 trace_id=36 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdbc9"
2020-04-10 12:34:26 id=20085 trace_id=36 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:26 id=20085 trace_id=36 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"

 

Any help will be very appriciated.

    3 replies

    Fullmoon
    Fullmoon
    New Member
    April 10, 2020

    hi,

     

    kindly try this configurations

     

    edit "NAT to lkbitrix" set uuid a685993c-79a2-51ea-8d95-fac7819934af set extip <EXTIP> set extintf "port5" <---changed from port 1 to port 5 set portforward enable set color 9 set mappedip "192.168.131.7" set extport 9443 set mappedport 443

    edit 142 set name "SWEB05-NAT-Internet" set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816 set srcintf "port5" set dstintf "port1" set srcaddr "all" <---changed from KAM-SWEB05 to All set dstaddr "NAT to lkbitrix" <---changed from All to NAT to lkbitrix set action accept set schedule "always" set service "ALL" set nat enable <----Disabled this next

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 10, 2020

    You are not redirecting the traffic to your internal server. In policy 141, you need to put the VIP as destination address. That's the way VIPs (destination NAT) work.

    Do that and test again.

    Alex_Ki
    Alex_KiAuthor
    New Member
    April 10, 2020

    ede_pfau wrote:

    You are not redirecting the traffic to your internal server. In policy 141, you need to put the VIP as destination address. That's the way VIPs (destination NAT) work.

    Do that and test again.

    thanks, unfortunately that didn't work.

    new debug is in txt attachement

     

    Fullmoon wrote:

    hi,

     

    kindly try this configurations

     

    edit "NAT to lkbitrix" set uuid a685993c-79a2-51ea-8d95-fac7819934af set extip <EXTIP> set extintf "port5" <---changed from port 1 to port 5 set portforward enable set color 9 set mappedip "192.168.131.7" set extport 9443 set mappedport 443

    edit 142 set name "SWEB05-NAT-Internet" set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816 set srcintf "port5" set dstintf "port1" set srcaddr "all" <---changed from KAM-SWEB05 to All set dstaddr "NAT to lkbitrix" <---changed from All to NAT to lkbitrix set action accept set schedule "always" set service "ALL" set nat enable <----Disabled this next

    Thanks for your suggestion.

    When editing set extintf "port5" on "NAT to lkbitrix" i get:

    # set extintf "port5" Cannot change 'extintf' while the VIP entry is used.

    in 142 I can't choose NAT to lkbitrix" as it's on the wrong port.

    Fullmoon
    Fullmoon
    New Member
    April 10, 2020

    appreciate if you could post your  topology most especially which interfaces are facing public and you local network.

     

    attaching link as well for VIP configuration.

    https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500

    Terms & ConditionsAccessibility statement