Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jaym222
New Contributor

Issue with PAT on 200A

Hi All, Running a Fortigate 200A version 4MR2P8. We have a webserver that uses a static NAT and PAT for the following: 443 -> 600 80 -> 550 *with redirect The 443 translation works but the 80 does not. When we use the internal IP with 550, it works. Any external access to http does not work. I did a packet sniff and I see traffic coming in to the VIP on port 80 but it is the syn packets only....no response back. The firewall policy allows all to VIP on any service. To me it looks correct and should work but the culprit appears to be the firewall. Thanks for any help! Jay
3 REPLIES 3
rwpatterson
Valued Contributor III

Chances are it' s the custom service you created for that policy. If you didn' t create a custom service then that could be the issue as well. If the server is expecting to see HTTP traffic on the interface, then you need to create a custom service with the below specs: Protocol: TCP Source port range: 1024-65535 Destination port range: 550-550 Use that as the service in your policy with the virtual IP as the destination and you' ll be up and running in no time.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
jaym222
New Contributor

Thanks for the response but I am a bit confused. If I create the service policy, I would then bind it to the firewall rule for this VIP, correct? Currently, this rule has a service policy of ' ANY' since the rule is used for both HTTPS and HTTP traffic. So if I created this service policy and attached it, wouldn' t it prevent the https traffic from being allowed? I hope I am making some sense!
rwpatterson
Valued Contributor III

That' s kind of correct. ' Any' service allows, well anything. So that cannot be the issue. From the CLI, show the pertinent outputs for:
 # show firewall policy <policy ID>
 # show firewall vip <Virtual IP name>
Note By any chance, do you have admin access to HTTP on port 80? If you do, there' s your issue. You' ll need to change the admin HTTP port to something other than 80 to use 80 as the destination for your VIP policy.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors