Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
subnet_warrior
New Contributor

Created on ‎09-26-2023 09:09 PM

Can't access server with same public ip subnet in fortigate wan firewall, kindly advised

Hi so we have fortigate 1801F as our internet firewall. This fortigate firewall has public ip assigned on it’s interface and has direct connection to ISP PE.

 

We have nat for internal user for going to internet (using outgoing interface IP), and we have 1 on 1 nat for our server  X accessible from internet. This server X public ip is the same subnet as internal user public ip, server X public ip using virtual ip for 1 on 1 nat.

 

 

Screenshot 2023-09-27 at 11.05.14.png

 

This server X public ip can be accessed via public (my coworker in different continent can access it, but this server X can’t be accessed via internal user. This internal user access this server X not using server X internal IP, but using server X public IP.

 

I tried to trace route and forti show something like strange symbol : !H !H

 

Rules for server X is

source : any, dest :server X, port : 443.

 

Rules for internal user is :

source : internal user ip, dest : any, port : any

 

Is it because internal user using public ip that is in the same subnet as server X public ip so internal user can’t access server X public IP? Or there is some kind of forti config that i didn’t know?

 

Labels:
935
0 Kudos
3 REPLIES 3
elsantas
New Contributor III

Created on ‎09-27-2023 12:00 AM

Hello,

 

For your internal users to access your server from the public IP, you need to configure a NAT hairpin.
Basically imagine that your packet does a loop and goes to your server.

Try this guide, it had helped me in the past:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

==============================

Not all those who wander are lost

==============================
==============================Not all those who wander are lost==============================
908
subnet_warrior
New Contributor
In response to elsantas

Created on ‎10-01-2023 08:02 PM

Hi yes it looks like need to do hairpin, we'll do it on the next windows change, i'll keep the update after changes.

855
0 Kudos
srajeswaran
Staff
Staff

Created on ‎09-27-2023 12:03 AM

When internal user connects to the server, the flow may be like below.

SYN - Source IP is Private PC--- Destination IP is Public IP
Packet reaches Switch, Switch sends it to Firewall, Firewall forward it to server via Switch again after NAT.
All good here

SYN-ACK - Source IP is the Private IP of Server - Destination is Private IP of PC
Packet reaches Switch, and the Switch will forward it directly to PC as it is aware about the route and no need to send it to Firewall.

Now the TCP handshake is broken on Firewall as the TCP SYN-ACK dont reach firewall.

The TCP ACK from client will again take the first path and reach firewall, but it won't accept it as the TCP-SYN never reached firewall.

This can be fixed if you enable Interface NAT towards the Server from PC port. This way, SYN-ACK will reach firewall as the destination will be of Firewall IP and not PC IP.

Feel free to correct me if I misunderstood the topology/flow.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
907
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.