A service for WAN on a server behind 2 fortigates with IPSec VPN between them
Hello der Fortinet Community,
I am new to Fortigates and I have the case depicted on the attached picture: A server in LAN 2 (Interface L2) behind the Fortigate 2 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) which is beign addressed from WAN (Interface W) through the Fortigate 1 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) and IPSec VPN (Interfaces V1, V2, which are the VPN interfaces). The server runs a number of services that should be accessible from WAN. Lets take FTP as one example.
I have the following relevant policies of the Fortigate 1.
The Virtual IP object "Server" has the following configuration:
Type: static NAT,
Source Address Filter: disabled,
External IP Address/Range: 0.0.0.0 - 0.0.0.0
Internal IP Address/Range: xxx.yyy.zzz.nnn - xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2)
Port Forwarding: enabled,
External Service Port: 21 - 21
Internal Service Port: 21 - 21
Besides that, I have the following relevant policies on the Fortigate 2.
F2.I V2 - L2: Source: all; Destinastion: Server (Address); Schedule: always; Service: FTP, Action: accept; NAT: disable.
F2.II L2 - V2: Nothing... but should I have an accepting policy for Server -> all?
The Address object "Server" has the following configuration:
Subnet / IP Range: xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2),
Show in Address List: yes.
When I try to connect via FTP from WAN using the address of the WAN-Interface, I see the number of packets increasing on F1.I, but nowhere else and, obviously, I cant establish a connection. Could you please help me with what and how I should change to allow the required connectivity?
I've disabled NAT on the F1.I and I have also found the sniffer. Now I see that I'm receiving the packets on V2:
# diag sniff packet any "host xxx.yyy.zzz.nnn and tcp port 21" 4 interfaces=[any] filters=[host xxx.yyy.zzz.nnn and tcp port 21] 4.711693 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320 16.712715 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320
I have change F1.I to NAT and then added the external IP Address of the Fortigate 1 to the routing table of the Fortigate 2 statically. Now I seem to have the connection. The problem seems to be solved now.