Skip to main content
Alex2
Alex2
New Member
June 15, 2023
Question

Problem to have acces to server behind a fortigate

  • June 15, 2023
  • 3 replies
  • 4801 views

Hello,

Hope you are fine

I have a problem to access a private IP server 172.31.X.X/20 behind a fortigate which has the public IP 1111.1111.1111.1111/32 and my server is supposed to be an smpp server but I can't have access from then outside, I configured the virtual IP to redirect incoming traffic on the public IP to my server at the corresponding port.

 

Please I really need help.

 

PS: I configured a VPN which works normally with private addresses but our client only works with public addresses 

3 replies

ebilcari
Staff
ebilcari
Staff
June 15, 2023

You have to also create a firewall policy from WAN port to internal port and use VIP object as the destination:

port fwd.PNG

 

Emirjon
Alex2
Alex2Author
New Member
June 19, 2023

Hello ebilcari,

I already did it, I created a virtual IP for my server and I went to the firewall policies to accept traffic to my server but it still doesn't work

ebilcari
Staff
ebilcari
Staff
June 19, 2023

than two other things to check:

- in VIP configuration if you choose an interface you have to choose the WAN interface

- If the SNMP server is accepting traffic from specific source IP you have to disable NAT in above firewall policy.

Emirjon
ede_pfau
SuperUser
ede_pfau
SuperUser
June 15, 2023

Also, note that you cannot ping the real server from outside if you have port forwarding enabled. ICMP does not use ports, and thus is not propagated.

knagaraju
Staff
knagaraju
Staff
June 19, 2023

Hello Alex2,
In this case, I suggest you to capture the flow debugs to have a complete picture on what is happening at the backend.

Please run the below commands in fortigate cli
diagnose debug reset
diagnose debug flow filter addr x.x.x.x  ---Where x.x.x.x is the actual public ip of the source user from where you are initiating the traffic.
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable

Please initiate the traffic.

Then please disable the debugs witht the below commands
diagnose debug disable
diagnose debug reset


Regards
Nagaraju.

Alex2
Alex2Author
New Member
June 19, 2023

I try those command and i have this

 
 

id=65308 trace_id=1003 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"
id=65308 trace_id=1004 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, x.x.x.x:4500-> lan port:4500) tun_id=0.0.0.0 from WAN. "
id=65308 trace_id=1004 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, reply direction"
id=65308 trace_id=1005 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, lan port:4500-> x.x.x.x:4500) tun_id=0.0.0.0 from local. "
id=65308 trace_id=1005 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"

abarushka
Staff
abarushka
Staff
June 19, 2023

Hi,

 

I suspect that you collected debug flow traces for IPsec rather than VIP.

 

id=65308 trace_id=1004 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, x.x.x.x:4500-> lan port:4500) tun_id=0.0.0.0 from WAN (port 4500 is used by IPsec)

 

Terms & ConditionsAccessibility statement