Hello Experts,
I would like to access one of local address in another local network but still no news.
On Fortigate 80F(FortiOS v7.0.2) I set something that you can see below:
Firewall address:
edit "LAN-CUP-10.2.x.x/24"
set uuid e1e4a43a-4234-51ec-1d33-78ef82b1ea54
set subnet 10.2.x.x 255.255.255.0
config firewall policy
edit 17
set name "Any to CUP"
set uuid cc69133e-6340-51ec-a051-06a9cb3d812b
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "CUP-Portal" "LAN-CUP-10.2.x.x/24" "Portal"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "Test for Portal CUP"
set logtraffic all
There is also static route for destination network.
Inside the Firewall I can ping 10.2.x.x/24 but from source network (192.168.10.x ) can not ping 10.2.x.x/24.
Do you have any ideas?
Thank you so much
Best,
Ghasem
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Finlay got the answer,
remove the policy and enable NAT.
tnx
Ghasem
Hi Ghasem,
Have you check if you see the packet icmp in firewall ? you can check this one with diagnose sniffer packet any 'icmp and host 10.2.x.x' 4
If you look the icmp packet, you can check flow diagnostic. To check why the packet is blocked.
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
Best regards,
Hello Julien,
Yes, I have also tried this and when I ping the destination everything goes well. but can not open the page in local machine .
Tnx
Hi,
can you post the return diag sniffer ? because in your post i see source network (192.168.10.x ) can not ping 10.2.x.x/24... you do have change configuration for that?
You can send the result for diag sniffer packet any 'host x.x.x.x and port 443' 4 if your portal is in HTTPS with standard port.
For your information:
FortiGate-80F # execute ping 10.2.0.6
PING 10.2.0.6 (10.2.0.6): 56 data bytes
64 bytes from 10.2.0.6: icmp_seq=0 ttl=126 time=0.3 ms
64 bytes from 10.2.0.6: icmp_seq=1 ttl=126 time=0.2 ms
64 bytes from 10.2.0.6: icmp_seq=2 ttl=126 time=0.2 ms
64 bytes from 10.2.0.6: icmp_seq=3 ttl=126 time=0.2 ms
64 bytes from 10.2.0.6: icmp_seq=4 ttl=126 time=0.2 ms
--- 10.2.0.6 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.3 ms
FortiGate-80F #
after hitting the command which you told me I got no answer:
FortiGate-80F # diagnose debug flow filter daddr 10.2.0.6
FortiGate-80F #
yes for this one, but you have write ping is ko from source network to CUP-PORTAL host. It's for this test, i would look the result of diagnose sniffer packet.
Best regards,
I know what you mean, but after hitting the "diagnose debug flow filter daddr 10.2.0.6 " there is no any result on Firewall,
The things is that, in local machine 192.168.10.x is not possible to open the link which http://cup-wifcty.lan.cup.fe
also in Firewall can not recognize this address but can ping the IP,
yes i have understand that. but i can not look the diagnose packet fortinet. You can check too the DNS resolution from localmachine.
Client claim that, 10 days ago he could access to this portal without any issue. during this interval I did not change anything on FW. I am tired with these issue. :(
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.