Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gashjaei
New Contributor II

Access Private Portal

Hello Experts, 

 

I would like to access one of local address in another local network but still no news. 

On Fortigate 80F(FortiOS v7.0.2)  I set something that  you can see below:

 

Firewall address:

edit "LAN-CUP-10.2.x.x/24"
set uuid e1e4a43a-4234-51ec-1d33-78ef82b1ea54
set subnet 10.2.x.x 255.255.255.0

 

config firewall policy

edit 17
set name "Any to CUP"
set uuid cc69133e-6340-51ec-a051-06a9cb3d812b
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "CUP-Portal" "LAN-CUP-10.2.x.x/24" "Portal"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "Test for Portal CUP"
set logtraffic all

There is also static route for destination network. 

 

Inside the Firewall  I can ping 10.2.x.x/24 but from source network (192.168.10.x ) can not ping 10.2.x.x/24.

 

Do you have any ideas?

 

Thank you so much 

 

Best,

Ghasem

 

 

1 Solution
gashjaei
New Contributor II

Hello 

Finlay got the answer, 

 

remove the policy and enable NAT. 

tnx 

Ghasem

View solution in original post

12 REPLIES 12
Julien87
New Contributor III

Hi Ghasem,

 

Have you check if you see the packet icmp in firewall ?   you can check this one with diagnose sniffer packet any 'icmp and host 10.2.x.x' 4      

 

If you look the icmp packet, you can check flow diagnostic. To check why the packet is blocked.

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

 

Best regards, 

 

 

Julien
gashjaei
New Contributor II

Hello Julien,

 

Yes, I have also tried this and when I ping the destination everything goes well. but can not open the page in local machine . 

 

Tnx

Julien87
New Contributor III

Hi, 

 

can you post the return diag sniffer ?  because in your post i see source network (192.168.10.x ) can not ping 10.2.x.x/24...  you do have change configuration for that?    

You can send the result for diag sniffer packet any 'host x.x.x.x and port 443' 4   if your portal is in HTTPS with standard port.

 

 

Julien
gashjaei
New Contributor II

For your information:

 

FortiGate-80F # execute ping 10.2.0.6
PING 10.2.0.6 (10.2.0.6): 56 data bytes
64 bytes from 10.2.0.6: icmp_seq=0 ttl=126 time=0.3 ms
64 bytes from 10.2.0.6: icmp_seq=1 ttl=126 time=0.2 ms
64 bytes from 10.2.0.6: icmp_seq=2 ttl=126 time=0.2 ms
64 bytes from 10.2.0.6: icmp_seq=3 ttl=126 time=0.2 ms
64 bytes from 10.2.0.6: icmp_seq=4 ttl=126 time=0.2 ms

--- 10.2.0.6 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms

FortiGate-80F #

after hitting the command which you told me I got no answer:

 

FortiGate-80F # diagnose debug flow filter daddr 10.2.0.6

FortiGate-80F #

 

 

Julien87
New Contributor III

yes for this one, but you have write  ping is ko from source network  to CUP-PORTAL host.   It's for this test, i would look the result of diagnose sniffer packet.

 

Best regards,

Julien
gashjaei
New Contributor II

I know what you mean, but after hitting the "diagnose debug flow filter daddr 10.2.0.6 " there is no any result on Firewall, 

gashjaei
New Contributor II

The things is that, in local machine 192.168.10.x is not possible to open the link which http://cup-wifcty.lan.cup.fe

also in Firewall can not recognize this address but can ping the IP,

Julien87
New Contributor III

yes i have understand that.  but i can not look the diagnose packet fortinet.   You can check too the DNS resolution from localmachine.

 

 

Julien
gashjaei
New Contributor II

Client claim that, 10 days ago he could access to this portal without any issue. during this interval I did not change anything on FW. I am tired with these issue. :(