Skip to main content
fsv99er
fsv99er
New Member
June 4, 2014
Question

unreachable wan ip adress from internal lan

  • June 4, 2014
  • 14 replies
  • 16421 views
Hy, Since a few weeks we have a fortigate 100D. Everything worked very fine. But now we have a big Problem. We have a WAN Ip Adress 212.xxx.xxx.xxx. This IP is reachable from the Internet. All works fine. But if my Device has an internel LAN IP Adress 192.xxx.xxx.xxx we cant reach the WAN IP Adress. What can i do that the WAN IP adress ist reachable from the LAN ? Is this a routing Problem ?

    14 replies

    emnoc
    emnoc
    New Member
    June 4, 2014
    Go to the WebGUI or CLI and check and set the allowaccess for ping for that interface e.g ( cli ) config sys interface edit wan1 set allowaccess ping end If you have this already than, diag debug flow is your friend. it would probably show something similar " trace_id=21 msg=" iprope_in_check() check failed, drop" "
    fsv99er
    fsv99erAuthor
    New Member
    June 4, 2014
    hy, thanks for your fast reply. i did the allowacces ping.... but the problem is the same the diagnose debug flow shows this: id=13 trace_id=703 msg=" vd-root received a packet(proto=6, 192.168.xxx.xxx:21347->212.xxx.xxx.xxx:443) from lan." id=13 trace_id=703 msg=" allocate a new session-001b981a" id=13 trace_id=703 msg=" find SNAT: IP-192.168.0.9(from IPPOOL), port-443" id=13 trace_id=703 msg=" VIP-192.168.0.9:443, outdev-lan" id=13 trace_id=703 msg=" DNAT 212.xxx.xxx.xxx:443->192.168.0.9:443" id=13 trace_id=703 msg=" find a route: gw-192.168.0.9 via lan" id=13 trace_id=703 msg=" use addr/intf hash, len=3" id=13 trace_id=703 msg=" Denied by forward policy check" i there a problem ?
    TheJaeene
    TheJaeene
    New Member
    June 4, 2014
    Hi, do you want to reach an internal Server (VIP) via the external Address? Regards, Jan
    fsv99er
    fsv99erAuthor
    New Member
    June 4, 2014
    Yes ! With this external adress i will reach an internal ip. Its works ! But with an internal ip i cant reach the external WAN adress
    TheJaeene
    TheJaeene
    New Member
    June 4, 2014
    A dirty solution: If your external IP is static you can build a Hairpin NAT/Policy " VIP-Server" Portforwarding (bound to internal) " external IP" 443 -> MAP TO " Internal Server IP" 443 Policy: Internal -> Internal Internal Network -> to " VIP Server" 443
    emnoc
    emnoc
    New Member
    June 4, 2014
    guys, the answer is right in front of you;
    " Denied by forward policy check"
    Your missing a fwpolicy.
    TheJaeene
    TheJaeene
    New Member
    June 4, 2014
    Blind :D
    TheJaeene
    TheJaeene
    New Member
    June 4, 2014
    @fsv99er Emnoc had some coffee.. me not :D Forget what I just wrote. Check your Firewall Rules (or post them here along with the vip definitions)
    fsv99er
    fsv99erAuthor
    New Member
    June 4, 2014
    I need your help. I create a " Vip Server" in Firewall Object - Addresses ... with the ip of the internal server In the Policy i say lan to vip server or what ?
    fsv99er
    fsv99erAuthor
    New Member
    June 4, 2014
    very blind ? :D
    fsv99er
    fsv99erAuthor
    New Member
    June 4, 2014
    Name VIP SERVER Type Subnet Subnet / IP Range 192.168.0.9 (ip of the internal server) Interface lan Show in Address List YES
    TheJaeene
    TheJaeene
    New Member
    June 4, 2014
    Please provide us the CLI Output of: -> sh firewall policy -> sh firewall vip Dont Forget to obfuscate your official IPs :D
    Show more replies
    Terms & ConditionsAccessibility statement