Unable to access virtual service from internal IP's

Forum|Forum|4 years ago
June 9, 2022
2 replies
1393 views

Hi Experts,

I have configured a virtual service on Fortigate in same IP range as of outside interface. Now I have a requirement to access the Virtual server IP from same subnet servers as of backend server on virtual server.

Is this possible, if so how can I achieve this.

I am aware of hairpin NAT in case of VIP but this is a different scenario where I want to access virtual server IP. Please help

FortiGate

AEK

SuperUser

Suppose that internal subnet is 10.0.0.0/24, back-end server is 10.0.0.1 and VIP is 172.16.0.1.

I think the hosts from same subnet as back-end server will fall in some L3 related issue:

- Some host 10.0.0.2 tries to reach 172.16.0.1

- Packet reaches 10.0.0.1 through the VIP

- 10.0.0.1 replies to 10.0.0.2

- since it is on the same subnet, 10.0.0.2 receives reply directly from 10.0.0.1, not from 172.16.0.1

- Result : 10.0.0.2 drops the packet since it is unsolicited connection

So I thinks the only way for hosts from 10.0.0.0/24 to access 10.0.0.1 is to not use the VIP.

AEK

nithincs

Staff & Editor

hi,

Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-internal-users-can-access-internal-resources/ta-p/193617

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded