VLAN external to LAN not allowed

Forum|Forum|9 years ago
January 10, 2017
2 replies
7868 views

Hi,

I have a Vlan configured which is only allowed to use http/https en dns to for internet. There is a webserver on the lan they need to contact and is also reachable from the outside. When they try to connect to this website they get the out-site address from the DNS and in the firewall we get a not allowed. I created a security policy, but no effect.

The web server is available with a VIP from outside to lan port 80 and 443 interface set to any.

Any idea how to solve this?

Lan is 10.0.0.0/24

Vlan 192.168.5.0/24

try to goto www.mydomain.nl

on the lan is this 10.0.0.2

on the ouside this is 200.200.200.20 (example)

DNS on the vlan gets 200.200.200.20 and in the logging we see deny policy violation implicit deny

Fortigate 51E with 5.4.0 tonight I am update it to the latest IOS

MikePruett

New Member

Do you have a VLAN to internal policy to allow that traffic. It might be doing some hair-pinning and wanting the policy to allow it even though the outside policy is there.

jd653687Author

Visitor III

Hi Mike,

Thank you for the quick reply.

Yes there is a policy for VLAN to Lan (nat disabled)

How to hair-pin this?

Regards,

Jan

rwpatterson

New Member

Try enabling NAT

jd653687Author

Visitor III

Yes I can ping from vlan to lan.

The VLAN is using the fortigate DNS which is set to the providers DNS servers.

I already find that this was the problem, but I do not know how to solve this.

I tried to create a DNS Database and pointed the VLAN to this server and created an A record for the internal server but I still got the external ip-address?

I cannot find how setup the DNS Database in the fortigate which I think is the solution.

jd653687Author

Visitor III

I am now using the internal DNS servers and this solved the problem.

Thanks to all of you helping me out.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded