Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiS_T
New Contributor

Access VIP from internal interface

Hi!

 

i have a fortiGate 100E with architecture like in this diagram:

 

i have a VIP that make snat from WAN1 (1.1.1.1) to server 10.0.0.1 and its working well from WAN.

guest network configured to go out via WAN2 interface, and i need to allow to guest users to access the server with the VIP address (1.1.1.1),

i tried to create a policy to allow connection from guest network to lan network via the VIP in destination and nothing,  i think there is any routing issue but i realy dont know what.

 

please your help,

Thanks!

 

 

 

1 Solution
Sudarsan_Babu
Contributor

Hello,

 

1. Check routing distance & Priority are same . 

2. Check Guest network routed through 10.0.0.0/24. 

 

 

 

Regards,

Sudarsan Babu P

View solution in original post

Regards, Sudarsan Babu P
4 REPLIES 4
Sudarsan_Babu
Contributor

Hello,

 

1. Check routing distance & Priority are same . 

2. Check Guest network routed through 10.0.0.0/24. 

 

 

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
rwdorman

I've dont this for Internal networks accessing VIP's by doing an Internal -> Internal policy.  I would do a diag debug flow to check how routing and NAT are being applied.

-rd 2x 200D Clusters 1x 100D

1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D

-rd 2x 200D Clusters 1x 100D 1x 60D FortiOS 5.2 FortiAP 221C FAZ 200D
rwpatterson
Valued Contributor III

Create a policy from WANx to internal, but make the source the INTERNAL subnet and the destination the Virtual IP, no NAT. See if that works. (Are you sure it is a source NAT? Virtual IP is a destination NAT) Years ago I had to 'hack' the infrastructure to do just this.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
FortiS_T

Hi Guys,

 

thank you for your help!

 

after Sudarsan Babu message i saw that i really dont have connection from guest net. to 10.0.0.0/24,

so after I've created a policy route from guest to 10.0.0.0/24 and to WAN1 before the policy that route from guest to 0.0.0.0 via WAN2 and added this policies:

from guest to WAN1 with relevant service

(from WAN1 to LAN to VIP already existed) 

the problem has resolved,

 

Thanks again!

 

Top Kudoed Authors