Hi so we have fortigate 1801F as our internet firewall. This fortigate firewall has public ip assigned on it’s interface and has direct connection to ISP PE.
We have nat for internal user for going to internet (using outgoing interface IP), and we have 1 on 1 nat for our server X accessible from internet. This server X public ip is the same subnet as internal user public ip, server X public ip using virtual ip for 1 on 1 nat.
This server X public ip can be accessed via public (my coworker in different continent can access it, but this server X can’t be accessed via internal user. This internal user access this server X not using server X internal IP, but using server X public IP.
I tried to trace route and forti show something like strange symbol : !H !H
Rules for server X is
source : any, dest :server X, port : 443.
Rules for internal user is :
source : internal user ip, dest : any, port : any
Is it because internal user using public ip that is in the same subnet as server X public ip so internal user can’t access server X public IP? Or there is some kind of forti config that i didn’t know?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
For your internal users to access your server from the public IP, you need to configure a NAT hairpin.
Basically imagine that your packet does a loop and goes to your server.
Try this guide, it had helped me in the past:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448
Hi yes it looks like need to do hairpin, we'll do it on the next windows change, i'll keep the update after changes.
When internal user connects to the server, the flow may be like below.
SYN - Source IP is Private PC--- Destination IP is Public IP
Packet reaches Switch, Switch sends it to Firewall, Firewall forward it to server via Switch again after NAT.
All good here
SYN-ACK - Source IP is the Private IP of Server - Destination is Private IP of PC
Packet reaches Switch, and the Switch will forward it directly to PC as it is aware about the route and no need to send it to Firewall.
Now the TCP handshake is broken on Firewall as the TCP SYN-ACK dont reach firewall.
The TCP ACK from client will again take the first path and reach firewall, but it won't accept it as the TCP-SYN never reached firewall.
This can be fixed if you enable Interface NAT towards the Server from PC port. This way, SYN-ACK will reach firewall as the destination will be of Firewall IP and not PC IP.
Feel free to correct me if I misunderstood the topology/flow.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.