Need an internal -> internal policy for LAN access to internal servers??

 When I’m connected to my FortiAP with a phone I’m unable to retrieve mail from my internal mail server, or any other internal servers by name, but I can access external sites. My phone is on “wireless” interface 10.10.10.10/255.255.255.0 and my servers are on “internal” interface 192.168.1.254/255.255.255.0

 

Do you have an internal dns server and are you leasing this dns server address to you wireless client? If you do this and the internal dns server returns internal address for names then it will work.

If you are using public dns server then the problem and the solution will be same for you next question.

Perhaps related to this, or not, the desktops on my LAN are able to reach external websites, but are unable to reach sites on internal servers by FQDN (eg: http://apps.domain.com/bigtime). They can reach sites on internal servers by UNC (//whitney/bigtime)

 

I have a feeling I need some additional policies. Any ideas? 

Configure vip and policies as per this KB: 

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33976&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=3130455&stateId=0%200%2067774631 

The wireless SSID used by my internal users specifies “Same as System DNS” under WiFi > SSID. My system DNS is an internal DNS specified as 192.168.1.5 under System > Network > DNS.

I just found something. Our internal DNS considers our local domain to be ourdomain.local, not ourdomain.com. It seems that our old FortiGate recognized names entered as ourdomain.com to be local, but not the new FortiGate.

That is, if I lookup [link=http://apps.ourdomain.com/bigtime]http://apps.ourdomain.com/bigtime[/link] from the LAN then the site is not found, but if I lookup [link=http://apps.ourdomain.local/bigtime]http://apps.ourdomain.local/bigtime[/link] the site is found (but I'm prompted for credentials as if it's not an internal site). This is true for wired and wireless users alike.

Is there a straight forward fix for this? Thanks again.

Thanks. The DHCP (server option 015) lease includes both domain suffixes, but the primary is ourdomain.local

I will keep looking in this direction, but if anyone notices any obvious problems, please let me know.

H:\>ipconfig /all

Windows IP Configuration
Host Name . . . . . . . . . . . . : ws015
Primary Dns Suffix . . . . . . . : ourdomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourdomain.local
                                    ourdomain.com
Ethernet adapter Local Area Connection 7:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Fortinet virtual adapter
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : ourdomain.local
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-13-20-04-3F-24
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.5
DNS Servers . . . . . . . . . . . : 192.168.1.5
Primary WINS Server . . . . . . . : 192.168.1.5
Lease Obtained. . . . . . . . . . : Monday, February 23, 2015 1:09:49 PM
Lease Expires . . . . . . . . . . : Tuesday, March 03, 2015 1:09:49 PM

I see now that I need to configure split DNS to have a zone for ourdomain.local resolution and another zone for ourdomain.com resolution. I wonder why this wasn't needed until we replaced our FortiGate? It must have been doing something somewhere..

As the old device was running pretty old code, there are lot of behavior changes in new version so I  can't say for sure how it was working.

From the old config I can see that vip was setup with external interface so if it is configured the same way access using public ip will not work in new version (VIP should be set to any)

In the new version of FortiOS as we are trying to access the server using public address(vip) from LAN we need to configure vip and policies as per this KB: 

  http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33976&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=3130455

Try to configure as above and I am pretty sure it should work.

Thanks, ashukla.

I should take a step back before I configure as you've provided. Are Virtual IPs even needed in my case? Say I want to limit external access to our mail server by creating a policy that allows only SMTP. Do I need a Virtual IP for that, or just an Address Object and a policy referencing that object?

Thanks.

Thanks again. Before I configure these policies for VIP, I'm beginning to suspect that I don't need VIP for my scenario to work. I have 3 servers that require both internal and external access. One is hostname "diablo" (int. 192.168.1.11, ext. 64.145. 110.91). Access to it should be limited to https. Can I create a policy that accomplishes that without creating a VIP for it? Thanks.

No you can't.

The VIP will

- bind the public IP to the external interface (answering to ARP requests)

- translate the destination IP from the public IP to the internal IP

The last point is necessary as private IP addresses are not routeable (cf. RFC1918). So with a policy 'wan->internal' you could not reach the private address as it's not routed to you.

The salient point is: how do internal users connect to the DMZ'ed server, by name or by private address or by public address?