Virtual IP to Azure VPN (Hairpinning)

Question

Hi,

I've currently got a fortigate (5.4.4) that has a Azure VPN connected on the outside interface, a number of subnets running on the inside of the fortigate have access to the servers over the Azure VPN and all is running no problem

I've just got a new request to permit two external IP addresses access to a port on a server at Azure (this has to access via the VPN).

So i need to create a VIP (port forwarding) from a IP on the fortigate outside interface pointing to the server at Azure and send the traffic up the existing Azure VPN (hairpinning).

I tried this last night but could not get it working.

What i tried was....

1. Create the VIP (outside interface IP address port forward to Azure server ip address on TCP port)

2. Create a policy (no natting) outside int -> Azure VPN

3. Create a policy (no natting) Azure VPN -> outside int

4. added the two public IP's requiring access, to the Azure VPN phase2 local subnets

5. added the two public IP's requiring access, to the Azure end setup.

But the Azure VPN dropped and would not come backup until i removed all the config again.

Can you tell me if this setup is possible and if so how?

Beezer · Answer

FYI i have now proven this works in a Lab setup with a VPN to a Cisco router simulating the Azure connection.

However in the actual setup traffic does not not reach the Azure servers (a packet capture on the Fortigate Azure VPN interface) shows traffic correctly hitting the VPN.

It's looking like it may be an Azure issue.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded