Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OrtizJorge97
New Contributor

AWS Fortigate VM DNAT is not working.

Hi guys, 

I am not able to pull off a DNAT to access from external internet access to my web service hosted in the server in  private subnet managed by fortigate.

 

I am new into this networking area, could you guys help me out ?

This is what I have been trying.

 

I am accessing with web browser like http://<FGT-Public-Ip>:3002 and also doing telnet <FGT-Public-Ip> 3002.... both time out.

 

Traffic is reaching my fortigate, verified with 

diagnose sniffer packet port1 'tcp and port 3002' results below:

-----------------------------------------------------------------------------------------------

XXXXXXXX # diagnose sniffer packet port1 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port1]
filters=[tcp and port 3002]
3.351276 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 3472599031
3.351345 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 89282952

 

Redirects to interface port1 private ip address port 3002

-----------------------------------------------------------------------------------------------

Ran sniffer packet for port2 where it should be forwarded the traffic....

XXXXXXXX # diagnose sniffer packet port2 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port2]
filters=[tcp and port 3002]

 

Nothing displays here after telnet or http request in browser.

-----------------------------------------------------------------------------------------------

This is my VIP configuration, external ip address is the public ip address (aws elastic ip) of fgt which i will be accessing and which is mapped to phyisical interface fgt port1 10.0.0.10... 10.0.1.27 is the private server in the private subnet.

 

Screenshot 2024-12-14 at 12.22.23 p.m..png

 

This below is my Firewall Policy allowing traffic from port1 to the VIP

Screenshot 2024-12-14 at 12.25.03 p.m..png

 

This below is the TCP/3002 Service... originally i had set up to ALL services, but still did not work.

Screenshot 2024-12-14 at 12.27.13 p.m..png

 

 

interfaces

port1 -> 10.0.0.10

port2 -> 10.0.1.10

 

Subnets

public subnet 10.0.0.0/24 (my fgt vm is placed here)

private subnet 10.0.1.0/24 

 

Resources

Server -> 10.0.1.27 (Placed in 10.0.1.0/24 subnet)

 

Static route 1:

Destination: 10.0.1.0/24

Gateway IP: 0.0.0.0 (managed by fgt)

Interface: port2

 

More context:

The service itself is literally a docker with nginx mapped 0.0.0.0:3002 -> ::80

 

Executed telnet from fortigate cli and works so, service is accessible from fortigate..
XXXXXXXXX # execute telnet 10.0.1.27 3002
Trying 10.0.1.27...
Connected to 10.0.1.27.

 

I have a SSL-VPN tunnel managed by fgt as 10.0.3.0/24

and successfully I am able to do telnet 10.0.1.27 3002 or even also curl or from the browser http://10.0.1.27:3002


 

 

 

1 Solution
dingjerry_FTNT

Hi @OrtizJorge97 ,

 

Your VIP external IP is x.x.x.101, but when the traffic flow hit the port1, the destination IP is 10.0.0.10.  How can it trigger to match the VIP?

 

You need to set the VIP's external IP to 10.0.0.10 because FGT does not see the x.x.x.101 IP at all.

 

BTW, in the future, please use verbose 4 for sniffer packet capture or verbose 6 if you need to convert it to a pcap.

Regards,

Jerry

View solution in original post

6 REPLIES 6
AEK
SuperUser
SuperUser

Hi

Try use diag debug flow instead of diag sniffer. It should give why traffic is blocked.

AEK
AEK
DPadula

Adding to @AEK's reply, these are the commands that he suggested. 
Technical Tip: Debug flow tool

The option 'diagnose debug flow show function-name enable' will give you the reason as he mentioned.

 

Regards

DPadula

OrtizJorge97

Hi @DPadula ,

This is the output it displays, the output is basically saying that no firewal policy is matched and only the rejected one at the last matched?



https://codeshare.io/Mkndop

 

DPadula
Staff
Staff

According to the output, this is what is happening:

2024/12/17 16:31:41 policy-4294967295 is matched, act-drop. It is matching the policy and traffic is being dropped by it. 

Just for testing purpose, can you remove the service TCP/3002 from the firewall policy, change it to 'ALL'. Then test again and collect the same output. 

dingjerry_FTNT

Hi @OrtizJorge97 ,

 

Your VIP external IP is x.x.x.101, but when the traffic flow hit the port1, the destination IP is 10.0.0.10.  How can it trigger to match the VIP?

 

You need to set the VIP's external IP to 10.0.0.10 because FGT does not see the x.x.x.101 IP at all.

 

BTW, in the future, please use verbose 4 for sniffer packet capture or verbose 6 if you need to convert it to a pcap.

Regards,

Jerry
OrtizJorge97

Hi @dingjerry_FTNT it absolutely works, turns out AWS handles x.x.x.101 mapping to 10.0.0.10 port1 ip, but fortigate is not aware of this, so had to change external ip to 10.0.0.10 ip address...

 

Also I had to enable NAT in my policy because the private server was responding directly to my public ip address and private server does not know where to redirect that traffic in response.


Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors