therHi everyone,
I've created a Virtual IP to forward the TCP port 10000 to 80 TCP in a client with the IP 192.168.1.12, so the details are:
0.0.0.0 -> 192.168.1.12 (TCP: 10000 -> 80)
Also I've created a policy so I can access to that host from the outside when I do a request at <office.public.ip>:10000 and does work as expected. I've basically followed this post in the knowledge base.
However, I'm experiencing something unexpected, when I try to access to <office.public.ip>:10000 from another interface (VLAN) I cannot reach the host, just when I try to access from outside (another different internet connection) why is this?
To put you a little more in context ... I'm doing this in my company, so I can reach the host from my home, but not from the office itself. Also ... the ISP gave me a IP to use as a gateway in a static route (which is different than the public IP of the connection in the office) and also I have another different IP/Netmask for the WAN1 interface (also different than the public IP and the IP for the static route). When I try to reach the host by requesting <ip.wan1.interface>:10000 it works as expected, but again, i cannot reach it when I request <office.public.ip>:10000 from the office itself, only works when I do that request from outside.
I know when I'm inside (in the office) I don't need actually to access that host via <office.public.ip> but I'm curious because apparently I should be able to use <office.public.ip>:10000 in the same way than I'm able to use just the private local IP (192.168.1.12).
What do you think? Thank you all.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Well, I've been checking the logs and I think this is because of my ISP.
As you can see, despite I'm always (in both cases) doing the request to the office public IP (83.x.y.143)
[ul]So maybe this is because the network architecture of my ISP, what do you think?
Perfect. then we have to see something on that WAN. how is it configured?
where does ip 83 come from? is a valid ip routed by your operator to you? the IP 217.124.116.61 is configured on your WAN, correct?
the request has been made by IP or DNS?
One more question, you informed: If I do the request to 217.124.116.61:10000 from inside it works as expected, but 217.124.116.61 is not available from outside ... Do you have a macro drawing of your topology? to try to understand better
NSE-4
jorge.americo wrote:[ul]Perfect. then we have to see something on that WAN. how is it configured?
where does ip 83 come from? is a valid ip routed by your operator to you? the IP 217.124.116.61 is configured on your WAN, correct?
the request has been made by IP or DNS?
One more question, you informed: If I do the request to 217.124.116.61:10000 from inside it works as expected, but 217.124.116.61 is not available from outside ... Do you have a macro drawing of your topology? to try to understand better
I'm not sure if this will help, but this is a little schema representing what I have.
217.124.116.x IPs were given to me by the ISP in order to set the these two things (WAN1 interface IP/Netmask and the shown static route), but actually the 83.x.y.143 IP is the IP that public services for knowing your public IP report to me.
Again, as I've said ... 217.124.116.x IPs are not accessible from outside, I guess those IPs have something to do with the configured DMZ by the ISP, I can ping them just when I'm at the office.
As I understand it, your provider grants you a valid IP but still does a NAT for the internet. In this case, you have to ask them to do 83. routing for your equipment and change your VIP from "0.0.0.0 -> 192.168.1.12 (TCP: 10000 -> 80)" to "83.xyz -> 192.168. 1.12 (TCP: 10000 -> 80) "
Obs. Put the wan interface in the VIP so that there is the gratuitous arp and your equipment is presented to the provider as 83.
NSE-4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.