| Description | This article describes a scenario where traffic goes out of FortiGate but a reply does not come. This mostly happens either due to permission on the server or routing issues. |
| Scope | FortiGate. |
| Solution |
Hairpin nat can be configured by following this KB article: Technical Tip: Configuring Hairpin NAT (VIP)
Post configuration if the internal user is still unable to access the server. It could be because a persistent route is configured on the server which is pointing towards a different gateway. Verify the firewall policy from Wan to DMZ. Post that check the routes on the server.
In the below snapshot, the persistent route is pointing towards 10.157.13.172 however, the traffic coming from 10.157.13.163:
In this scenario, the traffic reaches the server, and while responding it will be sent to another gateway due to the persistent route and will not reach back the user machine. To make it work, either remove the persistent route or enable SNAT in the policy. |
