- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cannot ping public ip internally but can from outs...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot ping public ip internally but can from outside
Hello, i am facing this problem for the first time and i don't know where im doing it wrong. I have to access my own ip address both from inside and outside the network . The problem is that from outside i am able to connect to the ip and do my stuff, but when i am connected locally i can't..
I tried pinging the address from the fortigate CLI and i get no response. If i ping it from outside (another public ip, or by using a smartphone 4g) it works like a charm. Can someone explain me why please?
I have a fortigate 60E with 7.2.0 Build 1157
Labels:
- Labels:
-
FortiGate
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The public IP address ou trying to ping, is configured in one of the fortigate's interfaces?
ti03udes
ti03udes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The WAN1 of the fortigate is connected to the router like i always do on fortigates. The problem is that from the fortigate i can't ping my OWN ipaddress, the one i am connected to. The same ip has no problem from outside the network
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the firewall does not have an public ip of it's own? What do you mean as your own IP address? The router IP, the Fortigate IP?
If it's a fortigate IP, the ping is enabled on the interface?
ti03udes
ti03udes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the easter delay .
The configuration is asfollow:
Router 192.168.1.1 - Fortigate WAN 192.168.1.15, LAN 192.168.90.15 - Switch - PCs
Ping is enabled and everything is working from outside the network (smartphone 4g, another connection etc). When im connected to the switch or directly to the Forti, or on the FortiCLI itself, i can't ping or interact with anything on my Public IP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the public IP is directly configured, or owned by, the FortiGate, then for the LAN->WAN direction to reach the public IP, you will need a firewall policy for exactly this direction.
This may be a bit more complicated if you're trying to reach a service through a VIP. (let us know if this is the case)
If the public IP is actually located on the router upstream of the FortiGate (the idea being that the router might be doing some DNAT/port-forwarding, or filtering traffic in the direction inbound to your FortiGate), then you will need to check with someone managing that router. Maybe it just doesn't allow the traffic to flow in such direction?
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the easter delay .
The public ip is on the router, where i have a NAT 1:1 on the local ip 192.168.1.15 where i connected the FortiGate with the WAN port.
as i replied to tio3udes: ping is enabled and everything is working from outside the network (smartphone 4g, another connection etc). When im connected to the switch or directly to the Forti, or on the FortiCLI itself, i can't ping or interact with anything on my Public IP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case I would suggest running a sniffer on the FortiGate to find out whether you are receiving the ping packet, when it goes from the WAN direction, at all.
diag sniffer packet <wan> "host <source-ip> and icmp" 4 0 a
# test now
CTRL+C to stop the capture
replace <wan> with the actual name of your "WAN" interface (the one pointing to the router upstream), and <source-ip> with the public IP of your client-device sending the test-pings.
If you see the packet arrive, some further investigation on the FortiGate will be needed. But if you don't see it arriving at all, you'll need to check futher upstream (router or ISP), because there's nothing we can do on the FortiGate if the packet does not reach it at all.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. I did the tests you suggested to me and i did it on 2 fortigate, the one i own without problems and the client one where i have this problem. for security reason i will write symbols instead of the IPs, i hope it will be clear.
My own IP: X.X.X.X (this is where everything is working)
My Client IP: Y.Y.Y.Y (this is where we have the problem).
On my own FortiGate i tried the command with X.X.X.X and Y.Y.Y.Y and it worked with 0 packet loss to both of them, however
On client Fortigate i tried the command with X.X.X.X and Y.Y.Y.Y aswell, the first one (on my own ip) worked with 0 packet loss, the second (client ip) did not worked. I will just past this last log:
FortiGate # diag sniffer packet wan1 "host Y.Y.Y.Y and icmp" 4 0 a
interfaces=[wan1]
filters=[host Y.Y.Y.Y and icmp]
# test now
^C
0 packets received by filter
0 packets dropped by kernel
That's all, thanks for your time and help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
From the previous sniffer, we could not able to observe any output. I will request you to run the sniffer in this way:
diag sniffer packet any 'host 8.8.4.4 and icmp' 4 0 a
Once you enter this sniffer, ping to 8.8.4.4 from the firewall other console and share the result with us.
Related Posts
- Fortigate client based ssl-vpn with saml... 49 Views
- SD-WAN IPSec Main Backup tunnels with... 99 Views
- Site to Site VPN to 2... 177 Views
- Remote VPN Issue 124 Views
- Internal DNS Server issue 106 Views
Labels
-
FortiGate
6,515 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.