Skip to main content
MustphaBassim
MustphaBassim
New Member
October 12, 2022
Question

reach from inside to virtual IP

  • October 12, 2022
  • 3 replies
  • 3517 views

Hello Dears

 

I had server with private IP and it's NAT using virual ip address, we are not able to access the server from internal network using public IP just using private IP so any idea how to allow access from internal network using the public IP ?

 

Bests

3 replies

jintrah_FTNT
Staff
jintrah_FTNT
Staff
October 12, 2022

Hi,

 

Please check Technical Tip: How internal users can access inter... - Fortinet Community

 

Best regards,

JIn

Yurisk
SuperUser
Yurisk
SuperUser
October 12, 2022

Excellent in its explanation document and it is only unfortunate that it does not contain the keyword hairpinning, which is all-accepted term for this configuration (Juniper, Cisco, Mikrotik etc.) So when people search for "hairpinning fortigate" they get FortiOS 5.4 cookbook https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/856642/configuring-hair-pinning-on-a-fortigate  

and https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448 which uses "hairpin", instead of "hairpinning".  But not this document. 

SEO is less than optimal :)

pminarik
Staff
pminarik
Staff
October 12, 2022

This will largely depend on whether your VIP is configured with external interface = any, or a specific interface.

 

For "any", follow the KB shared by jintrah.

 

If the VIP is bound to a specific external interface, let us know. It's a bit more complicated, but still doable nevertheless.

MustphaBassim
MustphaBassimAuthor
New Member
October 12, 2022

hello dear ,

yes it's bounded with WAN1 interface not any

pminarik
Staff
pminarik
Staff
October 12, 2022

Hi MustphaBassim.

 

Assumptions used in my example:
lan = interface with internal users

dmz = interface with the real server (where the VIP points to)

wan = extintf of the VIP

Replace these with your actual values/names/interfaces.

 

You probably already have a wan->dmz policy with the VIP for external access from public clients. Keep that in place, unchanged.

 

To let internal users access this VIP, you need to add a lan->wan(!) policy. The destination address of this policy must match the VIP extip (or "all"). The service of the policy must match the pre-DNAT destination port (VIP's extport; or "ALL").

 

Further notes:

- If you already have a lan->wan policy with dst=all & service=ALL, this may be sufficient to let the traffic through (possibly depending on UTM settings, if used).

- If "lan" and "dmz" are actually the same segment (internal users are in the same subnet as the real server behind the VIP), you will need to introduce SNAT in order to avoid the traffic flow breaking due to asymmetric routing.

Markus_M
Staff & Editor
Markus_M
Staff & Editor
October 12, 2022

2ct from me: your internal DNS should fix this without any firewall changes by responding to internal user queries with the internal IP instead of the external IP.

Terms & ConditionsAccessibility statement