Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OrtizJorge97
New Contributor

Created on ‎12-14-2024 11:40 AM

AWS Fortigate VM DNAT is not working.

Hi guys, 

I am not able to pull off a DNAT to access from external internet access to my web service hosted in the server in  private subnet managed by fortigate.

 

I am new into this networking area, could you guys help me out ?

This is what I have been trying.

 

I am accessing with web browser like http://<FGT-Public-Ip>:3002 and also doing telnet <FGT-Public-Ip> 3002.... both time out.

 

Traffic is reaching my fortigate, verified with 

diagnose sniffer packet port1 'tcp and port 3002' results below:

-----------------------------------------------------------------------------------------------

XXXXXXXX # diagnose sniffer packet port1 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port1]
filters=[tcp and port 3002]
3.351276 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 3472599031
3.351345 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 89282952

 

Redirects to interface port1 private ip address port 3002

-----------------------------------------------------------------------------------------------

Ran sniffer packet for port2 where it should be forwarded the traffic....

XXXXXXXX # diagnose sniffer packet port2 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port2]
filters=[tcp and port 3002]

 

Nothing displays here after telnet or http request in browser.

-----------------------------------------------------------------------------------------------

This is my VIP configuration, external ip address is the public ip address (aws elastic ip) of fgt which i will be accessing and which is mapped to phyisical interface fgt port1 10.0.0.10... 10.0.1.27 is the private server in the private subnet.

 

Screenshot 2024-12-14 at 12.22.23 p.m..png

 

This below is my Firewall Policy allowing traffic from port1 to the VIP

Screenshot 2024-12-14 at 12.25.03 p.m..png

 

This below is the TCP/3002 Service... originally i had set up to ALL services, but still did not work.

Screenshot 2024-12-14 at 12.27.13 p.m..png

 

 

interfaces

port1 -> 10.0.0.10

port2 -> 10.0.1.10

 

Subnets

public subnet 10.0.0.0/24 (my fgt vm is placed here)

private subnet 10.0.1.0/24 

 

Resources

Server -> 10.0.1.27 (Placed in 10.0.1.0/24 subnet)

 

Static route 1:

Destination: 10.0.1.0/24

Gateway IP: 0.0.0.0 (managed by fgt)

Interface: port2

 

More context:

The service itself is literally a docker with nginx mapped 0.0.0.0:3002 -> ::80

 

Executed telnet from fortigate cli and works so, service is accessible from fortigate..
XXXXXXXXX # execute telnet 10.0.1.27 3002
Trying 10.0.1.27...
Connected to 10.0.1.27.

 

I have a SSL-VPN tunnel managed by fgt as 10.0.3.0/24

and successfully I am able to do telnet 10.0.1.27 3002 or even also curl or from the browser http://10.0.1.27:3002


 

 

 

47
0 Kudos
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎12-17-2024 09:30 AM

Hi

Try use diag debug flow instead of diag sniffer. It should give why traffic is blocked.

AEK
AEK
36
0 Kudos
DPadula
Staff
Staff
In response to AEK

Created on ‎12-17-2024 02:18 PM

Adding to @AEK's reply, these are the commands that he suggested. 
Technical Tip: Debug flow tool

The option 'diagnose debug flow show function-name enable' will give you the reason as he mentioned.

 

Regards

DPadula

10
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.