Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lucascat
New Contributor III

Unable to reach VIP interface from internal

How can I reach a VIP from the internal interface?

I can ping Firewall public IP but not a VIP...

9 REPLIES 9
gschmitt
Valued Contributor

What does your policy to the VIP look like?

rwpatterson
Valued Contributor III

The only way to PING a VIP is if port forwarding is not being used. This is by design. You cannot port forward ICMP traffic, so PINGs will be dropped. You need to dedicate an entire IP to PING that internal VIP device.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Lucascat
New Contributor III

Hi,

port forwarding is not used.

the VIP is:

    edit "server"

        set extip 89.xx.xx.xx

        set extintf "wan1"

        set mappedip 192.168.1.10

    next

 

192.168.1.10 is on internal lan

rwpatterson
Valued Contributor III

What model device?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Lucascat
New Contributor III

70D

rwpatterson
Valued Contributor III

I had a similar issue back on a FGT60AD back in the day. The way I believe I got it to work was to NAT the policy to the VIP. The smaller model switches behave differently than the ones with just 'Portx'*. Give that a shot. If I can find the old config (I save everything), I'll give it the once over to see if there was anything else involved.

 

*: At the time. The FGT FW version was 3.x. Much has changed in between then and now. This was also from personal experience. Your mileage my vary.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
scheehan_FTNT

Hi

 

May be below KB is what you need

 

How internal users can access internal resources via an external VIP (public IP address):-

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33976

 

How to access natted server internally with Public IP address:-

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36657

 

Hope this helps

 

 

ede_pfau
Esteemed Contributor III

@scheehan_FTNT: in KB article 33976, the IP address of port2 is wrong (it's the same as of port3). Luckily, this doesn't invalidate this solution.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
ede_pfau
Esteemed Contributor III

@OP

The main points with this are:

- the VIP needs to be configured for the "any" device - usually you would specify the 'external' device here

- you need a policy from 'internal' to 'internal' if the server is located in the same LAN. Looks strange but is valid and working.

 

Even if the second TN is marked "FortiOS v5" I'd go with the first recipe and avoid Policy Routing.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors