Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kingtech
New Contributor

Cannot ping public ip internally but can from outside

Hello, i am facing this problem for the first time and i don't know where im doing it wrong. I have to access my own ip address both from inside and outside the network . The problem is that from outside i am able to connect to the ip and do my stuff, but when i am connected locally i can't.. 

I tried pinging the address from the fortigate CLI and i get no response. If i ping it from outside (another public ip, or by using a smartphone 4g) it works like a charm. Can someone explain me why please?

 

I have a fortigate 60E with 7.2.0 Build 1157

18 REPLIES 18
kingtech

Here are the results:

 

FortiGate # diag sniffer packet any 'host 8.8.4.4 and icmp' 4 0 a
interfaces=[any]
filters=[host 8.8.4.4 and icmp]
2022-04-21 09:27:04.258525 wan1 out 192.168.1.15 -> 8.8.4.4: icmp: echo request
2022-04-21 09:27:04.288113 wan1 in 8.8.4.4 -> 192.168.1.15: icmp: echo reply
2022-04-21 09:27:05.269305 wan1 out 192.168.1.15 -> 8.8.4.4: icmp: echo request
2022-04-21 09:27:05.298873 wan1 in 8.8.4.4 -> 192.168.1.15: icmp: echo reply
2022-04-21 09:27:06.279273 wan1 out 192.168.1.15 -> 8.8.4.4: icmp: echo request
2022-04-21 09:27:06.309581 wan1 in 8.8.4.4 -> 192.168.1.15: icmp: echo reply
2022-04-21 09:27:07.289303 wan1 out 192.168.1.15 -> 8.8.4.4: icmp: echo request
2022-04-21 09:27:07.318825 wan1 in 8.8.4.4 -> 192.168.1.15: icmp: echo reply
2022-04-21 09:27:08.299284 wan1 out 192.168.1.15 -> 8.8.4.4: icmp: echo request
2022-04-21 09:27:08.329063 wan1 in 8.8.4.4 -> 192.168.1.15: icmp: echo reply
^C
10 packets received by filter
0 packets dropped by kernel

seshuganesh

 

We could see the reply is request and reply is happening. But ealier you mentioned, you are not able to access any thing in the internet from the firewall.

Could you please reclarify?

kingtech

Maybe i was not clear, sorry.

I dont have any problem about accessing internet, the problem is that i can't use services through my public ip when i'm INSIDE the fortigate LAN. But i can if i am OUTSIDE this network. Let's suppose my public ip is 70.7.70.7 and i have forwarded some services through fortigate to a specific devices in my network. If i type in the browser 70.7.70.7 when i am connected to the LAN, i receive an empty response because it does not work. If i type the same ip from outside the network everything is working fine. Am i clear?

seshuganesh

Hi Team,

 

Thanks for the detailed explanation.

You are trying to achieve hair pin NAT.

step-1: Lets say you are accessing 70.70.7.7 (your upstream router public ip) from LAN machine (192.168.90.15)
Firewall should require one LAN to WAN policy with NAT enabled, i will assume it is there.

Step-2:

There should be a policy with WAN to LAN with source as all and destination as VIP object.

Please check and give us update

 

kingtech

Thanks for the reply, i double checked and i can confirm that i have those 2 policies

seshuganesh

Hi Team,

 

 

Thanks for the update.

 

Could you please provide us screenshot of firewall policy and VIP object here

kingtech

Sorry for the dealy, i attached the two screenshots, thanks.policy.PNGVIP.PNG

seshuganesh

The configuration is absolutely fine.

Its better if you can raise case with support team to further check on this issue

 

kingtech

I tried the command from above with a second fortigate CLI, pinging the public ip and this is the result:

 

FortiGate # diag sniffer packet any "host Y.Y.Y.Y and icmp" 4 0 a
interfaces=[any]
filters=[host Y.Y.Y.Y and icmp]
2022-04-21 09:29:56.178087 wan1 out 192.168.1.15 -> Y.Y.Y.Y: icmp: echo request
2022-04-21 09:29:57.189354 wan1 out 192.168.1.15 -> Y.Y.Y.Y: icmp: echo request
2022-04-21 09:29:58.199361 wan1 out 192.168.1.15 -> Y.Y.Y.Y: icmp: echo request
2022-04-21 09:29:59.209381 wan1 out 192.168.1.15 -> Y.Y.Y.Y: icmp: echo request
2022-04-21 09:30:00.219352 wan1 out 192.168.1.15 -> Y.Y.Y.Y: icmp: echo request
^C
5 packets received by filter
0 packets dropped by kernel

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors