Traffic via tunnel

Question

I have a customer that configured a tunneling from a particular external public IP address to access some server applications through the fortigate firewall on their LAN. From what I was told, that particular public IP can reach the fortigate from the other end but they can't ping that IP from the customer's end. Don't know what went wrong. Kindly assist.

ede_pfau · Answer

hi,

I'm afraid the lack of configuration data leaves a lot to speculate here.

It sounds like there is a port forwarding (destination NAT) policy from WAN to LAN in effect which allows to access an internal server via the FGT's external public address. In this policy a VIP (virtual IP) is used which translates the public IP to the private internal IP of the server.

So far, no surprises.

There are 2 kinds of VIPs: simple ones and port-forwarding ones. The simple VIP just exchanges the destination address, that is, all traffic to <public IP> will be translated to the new destination <private IP>. Access to the server is only limited by the service(s) you allow in the policy.

The port-forwarding VIP translates the destination address AND single destination ports. This is more common and (in a way) a bit safer. Each service (ftp, smtp etc.) uses specific, well defined (destination) ports so the internal server is only reachable via the specific service.

That, on the other hand, prohibits PING to be forwarded, as the ICMP protocol is not based on ports. Only a non-port-forwarding VIP will allow you to ping the internal server.

I hope this explains your problem. If not, please supply more info like, what the problem is, which policy is involved and how the VIP is configured. We'll see how we can help then.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded