Hello der Fortinet Community,
I am new to Fortigates and I have the case depicted on the attached picture: A server in LAN 2 (Interface L2) behind the Fortigate 2 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) which is beign addressed from WAN (Interface W) through the Fortigate 1 (FortiWiFi 60CX-ADSL-A, Firmware v5.2.15,build766 (GA)) and IPSec VPN (Interfaces V1, V2, which are the VPN interfaces). The server runs a number of services that should be accessible from WAN. Lets take FTP as one example.
I have the following relevant policies of the Fortigate 1.
F1.I. WAN - V1: Source: all; Destination: Server (Virtual IP); Schedule: always; Service: FTP; Action: accept; NAT: enable. F1.II: V1 - WAN: Source: all; Destination: all; Schedule: always; Service: all; Action: accept; NAT: enable.
The Virtual IP object "Server" has the following configuration:
Interface: W1, Type: static NAT, Source Address Filter: disabled, External IP Address/Range: 0.0.0.0 - 0.0.0.0 Internal IP Address/Range: xxx.yyy.zzz.nnn - xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2) Port Forwarding: enabled, Protocol: TCP, External Service Port: 21 - 21 Internal Service Port: 21 - 21
Besides that, I have the following relevant policies on the Fortigate 2.
F2.I V2 - L2: Source: all; Destinastion: Server (Address); Schedule: always; Service: FTP, Action: accept; NAT: disable. F2.II L2 - V2: Nothing... but should I have an accepting policy for Server -> all?
The Address object "Server" has the following configuration:
Type: IP/Netmask, Subnet / IP Range: xxx.yyy.zzz.nnn (the IP Address of the Server in LAN 2), Interface: any, Show in Address List: yes.
When I try to connect via FTP from WAN using the address of the WAN-Interface, I see the number of packets increasing on F1.I, but nowhere else and, obviously, I cant establish a connection. Could you please help me with what and how I should change to allow the required connectivity?
I suppose, the settings of the VPN Tunnel may be also relevant, so here are they.
At Fortigate 1:
Network
IP Version: IPv4
Remote Gateway: Dynamic DNS
Dynamic DNS: ourdomain.dyndns.org
Interface: W
Mode Config: disabled
NAT Traversal: enabled
Keepalive Frequency: 10
Dead Peer Detection: enabled
Authentification
Method: Pre-Shared Key
Pre-shared Key: secret
IKE Version: 1
IKE Mode: Main (ID Protection)
Phase 1 Proposal
Algorithms: AES128-SHA256
Diffie-Hellman Groups: 14, 5
XAUTH
Type: Disabled
Phase 2 Selectors
Name: V1
Local Address: Subnet 0.0.0.0/0.0.0.0
Remote Address: Subnet 0.0.0.0/0.0.0.0
(here we have several pairs of Encryption and Authentication types, I omit them)
Enable Replay Detection: enabled
Enable Perfect Forward Secrecy (PFS): enabled
Diffie-Hellman Groups: 14, 5
Local Port: All
Remote Port: All
Protokoll: All
Autokey Keep Alive: disabled
Auto-negotiate: enabled
Key lifetime: 43200 seconds
Fortigate 2: everything is identical except:
Remote Gateway: Static IP Address.
IP Address: our static IP address of W
Interface: the local WAN-Interface of the Site where Fortinet 2 functions
Auto-negotiate: disabled.
After reading the following to articles
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38709
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48688
I've disabled NAT on the F1.I and I have also found the sniffer. Now I see that I'm receiving the packets on V2:
# diag sniff packet any "host xxx.yyy.zzz.nnn and tcp port 21" 4
interfaces=[any]
filters=[host xxx.yyy.zzz.nnn and tcp port 21]
4.711693 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320
16.712715 V2 in aaa.bbb.ccc.ddd.56402 -> xxx.yyy.zzz.nnn.21: syn 4170189320
However, I don't see them leaving on L2.
I think I have found the problem:
# diag debug flow trace start 100
id=20085 trace_id=1 func=print_pkt_detail line=4489 msg="vd-root received a packet(proto=6, aaa.bbb.ccc.ddd:56977->xxx.yyy.zzz.nnn:21) from V2. flag, seq 4154323049, ack 0, win 5840"
id=20085 trace_id=1 func=init_ip_session_common line=4645 msg="allocate a new session-000cebfd"
id=20085 trace_id=1 func=ip_route_input_slow line=1274 msg="reverse path check fail, drop"
This seems to be a related article: https://kb.fortinet.com/kb/documentLink.do?externalID=FD30543
Now I need to find out if I should disable the RPF or reconfigure the other Fortigate to NAT the packets.
I have change F1.I to NAT and then added the external IP Address of the Fortigate 1 to the routing table of the Fortigate 2 statically. Now I seem to have the connection. The problem seems to be solved now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.