Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ATOON
New Contributor III

Created on ‎06-14-2024 07:18 AM

Assistance to allow external access to your IIS server

Hi,

 

Assistance with a network configuration. We have an application on a local server (IIS) and need access to it from the external network:

I try the below steps with no luck, can't access it from an external network

 

* DDNS:

  • Created account and host on no-ip
  • Configure no-ip client on the server and connected

* On Firewall:

1- Configure Virtual IPs (External IP address/range: 0.0.0.0, Mapped IP address/range: LAN IP)

     Port Forwarding Protocol (TCP), External service port & Map to port (80)

2- Create Policy

  • Incoming Interface (WAN)
  • Outgoing Interface (LAN)
  • Source (all)
  • Destination (VIP) created earlier
  • Schedule (Always)
  • Service (HTTP)
  • Action (Accepted)
  • NAT (Disable) and try (Enable)

Additionally, configure Windows firewall inbound and outbound for port 80

 

Modem: FortiWiFi 30E

Firmware: v6.2.15 build1378 (GA)

1886
0 Kudos
1 Solution
hbac
Staff
Staff

Created on ‎06-14-2024 07:28 AM

Hi @ATOON.,

 

Please run the following debugs and test connection: 

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr <source IP>
di deb flow filter port 80
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable

 

Regards, 

View solution in original post

1875
0 Kudos
10 REPLIES 10
hbac
Staff
Staff

Created on ‎06-14-2024 07:28 AM

Hi @ATOON.,

 

Please run the following debugs and test connection: 

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr <source IP>
di deb flow filter port 80
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable

 

Regards, 

1876
0 Kudos
ATOON
New Contributor III
In response to hbac

Created on ‎06-14-2024 10:34 AM

Please check the debug attached. Di debug 

1541
0 Kudos
hbac
Staff
Staff
In response to ATOON

Created on ‎06-15-2024 07:21 AM

@ATOON,

 

From the debug output, the source IP 10.10.210.250 is not a public IP. Are you making an outbound connection from behind the FortiGate to the public IP of the Huawei router? Do you have port forwarding configured on the router to forward port 80 traffic to 192.168.8.2?

 

Regards,

1406
0 Kudos
ATOON
New Contributor III
In response to hbac

Created on ‎06-15-2024 09:59 AM

@hbac

Thanks for your message

 

10.10.210.250 is internal for the local server and my network is Vlans 10.10.xx.xx

 

  • I configured a forward port on the Huwaei router, 

hg.png

1384
0 Kudos
ATOON
New Contributor III
In response to hbac

Created on ‎06-17-2024 02:32 AM Edited on ‎06-17-2024 05:09 AM

@hbac 

 

I resolved the issue by changing LAN 1 to LAN 2 in the out-interface policy rule. I now see that I had initially chosen LAN 1

1296
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎06-14-2024 07:32 AM

What WAN connection do you have on the FGT? If there is a router in front of the FGT this router also has to forward the traffic!

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1626
0 Kudos
ATOON
New Contributor III
In response to sw2090

Created on ‎06-14-2024 10:50 AM

Have a Huawei router HG8245W5 in front of FGT, internal IP 192.168.8.1.

Make an interface in FGT for wan 192.168.8.2, and make the LAN interface as Vlans 10.10.xx.xx.

So, in the Huawei router, if try to add the internal host, the LAN IP of the local server 10.10.xx.xx is not accepted.

 

HW router.png

1536
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎06-14-2024 08:39 AM

How did you test? Using HTTP or by pinging? Ping won't work here.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1594
0 Kudos
ATOON
New Contributor III
In response to ede_pfau

Created on ‎06-14-2024 03:56 PM

Tested by HTTP browsing, and ping working fine

1495
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.