Hi guys,
I am not able to pull off a DNAT to access from external internet access to my web service hosted in the server in private subnet managed by fortigate.
I am new into this networking area, could you guys help me out ?
This is what I have been trying.
I am accessing with web browser like http://<FGT-Public-Ip>:3002 and also doing telnet <FGT-Public-Ip> 3002.... both time out.
Traffic is reaching my fortigate, verified with
diagnose sniffer packet port1 'tcp and port 3002' results below:
-----------------------------------------------------------------------------------------------
XXXXXXXX # diagnose sniffer packet port1 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port1]
filters=[tcp and port 3002]
3.351276 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 3472599031
3.351345 XXX.XXX.9.57.59128 -> 10.0.0.10.3002: syn 89282952
Redirects to interface port1 private ip address port 3002
-----------------------------------------------------------------------------------------------
Ran sniffer packet for port2 where it should be forwarded the traffic....
XXXXXXXX # diagnose sniffer packet port2 'tcp and port 3002'
Using Original Sniffing Mode
interfaces=[port2]
filters=[tcp and port 3002]
Nothing displays here after telnet or http request in browser.
-----------------------------------------------------------------------------------------------
This is my VIP configuration, external ip address is the public ip address (aws elastic ip) of fgt which i will be accessing and which is mapped to phyisical interface fgt port1 10.0.0.10... 10.0.1.27 is the private server in the private subnet.
This below is my Firewall Policy allowing traffic from port1 to the VIP
This below is the TCP/3002 Service... originally i had set up to ALL services, but still did not work.
interfaces
port1 -> 10.0.0.10
port2 -> 10.0.1.10
Subnets
public subnet 10.0.0.0/24 (my fgt vm is placed here)
private subnet 10.0.1.0/24
Resources
Server -> 10.0.1.27 (Placed in 10.0.1.0/24 subnet)
Static route 1:
Destination: 10.0.1.0/24
Gateway IP: 0.0.0.0 (managed by fgt)
Interface: port2
More context:
The service itself is literally a docker with nginx mapped 0.0.0.0:3002 -> ::80
Executed telnet from fortigate cli and works so, service is accessible from fortigate..
XXXXXXXXX # execute telnet 10.0.1.27 3002
Trying 10.0.1.27...
Connected to 10.0.1.27.
I have a SSL-VPN tunnel managed by fgt as 10.0.3.0/24
and successfully I am able to do telnet 10.0.1.27 3002 or even also curl or from the browser http://10.0.1.27:3002
Solved! Go to Solution.
Hi @OrtizJorge97 ,
Your VIP external IP is x.x.x.101, but when the traffic flow hit the port1, the destination IP is 10.0.0.10. How can it trigger to match the VIP?
You need to set the VIP's external IP to 10.0.0.10 because FGT does not see the x.x.x.101 IP at all.
BTW, in the future, please use verbose 4 for sniffer packet capture or verbose 6 if you need to convert it to a pcap.
Hi
Try use diag debug flow instead of diag sniffer. It should give why traffic is blocked.
Adding to @AEK's reply, these are the commands that he suggested.
Technical Tip: Debug flow tool
The option 'diagnose debug flow show function-name enable' will give you the reason as he mentioned.
Regards
DPadula
Hi @DPadula ,
This is the output it displays, the output is basically saying that no firewal policy is matched and only the rejected one at the last matched?
According to the output, this is what is happening:
2024/12/17 16:31:41 policy-4294967295 is matched, act-drop. It is matching the policy and traffic is being dropped by it.
Just for testing purpose, can you remove the service TCP/3002 from the firewall policy, change it to 'ALL'. Then test again and collect the same output.
Hi @OrtizJorge97 ,
Your VIP external IP is x.x.x.101, but when the traffic flow hit the port1, the destination IP is 10.0.0.10. How can it trigger to match the VIP?
You need to set the VIP's external IP to 10.0.0.10 because FGT does not see the x.x.x.101 IP at all.
BTW, in the future, please use verbose 4 for sniffer packet capture or verbose 6 if you need to convert it to a pcap.
Hi @dingjerry_FTNT it absolutely works, turns out AWS handles x.x.x.101 mapping to 10.0.0.10 port1 ip, but fortigate is not aware of this, so had to change external ip to 10.0.0.10 ip address...
Also I had to enable NAT in my policy because the private server was responding directly to my public ip address and private server does not know where to redirect that traffic in response.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1749 | |
1114 | |
765 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.