Hello,
I just installed a new fortigate and for first time enabled "central NAT" from cli
I created a SNAT rule for each outgoing Internet connection and I think these rules are working because I can browse Internet
Now I want to forward the port TCP 81 to 10.1.1.234 because I need to access there from Internet.
I created the following "DNAT & Virtual IP":
Interface: lan (I dont know if this should be the source or destination interface, but I tested with each with no luck)
Source Interface Flter: disabled
External IP Address/Range: PublicIP
Mapped IP Address/Range: 10.1.1.234
Optional Filters: disabled
Port Forwarding: enabled
Protocol: TCP
External Service Port: 81
Map to Port: 81
I can connect from inside with "telnet 10.1.1.234 81" but I can not connect from outside with "telnet publicIP 81", so the "DNAT & Virtual IP" is not working
What is wrong?
Thanks in advance.
Regards,
Damián
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thanks for your response.
There is not any rule in sd-wan -> lan
This is because I could not select a VIP in a policy.
I added temporarily a rule to allow everything but as this does not solve the issue I deleted this.
So, every time I need to create a VIP I need to do the following?
- Create a rule
- Enable the match-vip from cli
- Match VIP in the rule
This does not make a sense to me
In this case, what is "Central NAT" for?
I thought that no rule is needed with "Central NAT", that is what I understood in the course.
Regards,
Damián
So, every time I need to create a VIP I need to do the following? - Create a rule - Enable the match-vip from cli - Match VIP in the rule
Yes you need a policy if that what you mean by rule. No policy and without the vip defined for the destination is not going to work. All traffic is controlled by the policy.
In this case, what is "Central NAT" for?
A central nat table just provides a central table for nat-translation but for SNAT A vip is not controlled by the central-nat table. In fact the name suggest it's a snat-map.
People who like central-nat table are mainly people that come from the checkpoint,juniper,ciscoASA,palo shop since it does or work nearly the same.
If you enabel central-snat you do NOT use nat in your polic, the table manages the SNATs.
Read more here.
;)
BTW SANT has nothing to do with your vip, fwiw
Ken Felix
PCNSE
NSE
StrongSwan
Hello again,
I hope I dont need to explain again that although I attached an image from a course, this is about a real fortigate in a production environment (the course ended some weeks before, the lab is not already available)
I finally could test, did the following:
- Added a service for port 81
- Added a rule from sd-wan to lan for this service
- Tried to enable match-vip for this policy as https://kb.fortinet.com/kb/documentLink.do?externalID=FD33338 but failed
FGT # config firewall policy FGT (policy) # edit 5 FGT (5) # set match-vip enable command parse error before 'match-vip' Command fail. Return code -61
So, I attached again the image from the lab guide which I followed when did the course
In this image you can see, the following words from fortigate: "As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"
Which is the problem here?
If I need to enable match-vip for the rule, which is the proper command to accomplish this?
Regards,
Damián
Not sure what you doing but 1st let's start with tis
"As soon as VIP object is created, Fortigate automatically creates a rule in the kernel for DNAT to occur", which I interpreted as: "I dont need to create a policy"
Creating a vip does NOT side-step the need for a rule. I'm not sure why you keep bring this up.
2nd let's see the fw-policy #5
( from cli using the above mention policyid5 )
show full firewall policy 5
Let's see your vip so we can fully understand what your doing
show full firewall vip
Can you give us those 2 outputs from the cli?
Ken Felix
PCNSE
NSE
StrongSwan
Sure, thanks for your reply,
FGT # show full firewall policy 5
config firewall policy
edit 5
set name "DVR"
set uuid a6d824f4-ec4d-51ea-7f07-66b8d321df2d
set srcintf "virtual-wan-link"
set dstintf "lan"
set srcaddr "all"
set dstaddr "DVRs"
set internet-service disable
set internet-service-src disable
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "Web2"
set dscp-match disable
set utm-status disable
set logtraffic utm
set logtraffic-start disable
set auto-asic-offload enable
set np-acceleration enable
set permit-any-host disable
set permit-stun-host disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set fsso disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set profile-protocol-options "default"
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
FGT # show full firewall vip
config firewall vip
edit "DVR"
set id 0
set uuid 71b50130-e166-51ea-3826-075742213cf8
set comment "Port 81 to DVR"
set type static-nat
set extip 179.60.208.66
set extintf "any"
set arp-reply enable
set nat-source-vip disable
set portforward enable
set gratuitous-arp-interval 0
set color 18
set mappedip "10.1.1.234"
set protocol tcp
set extport 81
set mappedport 81
set portmapping-type 1-to-1
next
end
Regards,
Damián
The custom service web2 is that set for tcp.port 81? What I would do is run "diag debug flow" and look for traffic and the match.
diag debug flow filter port 81
diag debug flow filter addr 179.60.208.66
diag debug enable
diag debug flow trace start 10
Then start some traffic and look and update what you see.
Ken Felix
PCNSE
NSE
StrongSwan
Hello, thanks for your response
The custom service web2 is that set for tcp.port 81?
Yes, only TCP 81
I already did a debug flow and pasted it in a previous note of this post:
id=20085 trace_id=1 func=print_pkt_detail line=5573 msg="vd-root:0 received a packet(proto=6, SRCpublicIP:53495->WAN1IP:81) from wan. flag , seq 4175373843, ack 0, win 64240" id=20085 trace_id=1 func=init_ip_session_common line=5744 msg="allocate a new session-01b345f2" id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-WAN1IP via root" id=20085 trace_id=1 func=fw_local_in_handler line=412 msg="iprope_in_check() check failed on policy 0, drop"
There is not a rule to allow this traffic
Regards,
Damián
Do us a favor, please take the ext-ip of the vip and ensure it's not being used else where the fortigate?
(i.e using 179.60.208.66 )
#cli
show full | grep -f 179.60.208.66
Ken Felix
PCNSE
NSE
StrongSwan
Hello, thanks for your help
I just checked again and I could connect with the correct IP.
I saw that the VIP had the external IP of the secondary WAN connection, when I changed it to use the primary WAN connection started working, then I changed it again to the secondary and worked again.
I dont know what happened there because when I do the test the first time I used the correct IP and I had created a rule to allow everything just for some minutes for testing purpouse.
Thanks.
Regards,
Damián
I started before with Mikrotik and I like it (I know about the pros of fortigate, of course)
When I did the NSE4 course I started to like fortigate a little more than before but still prefer Mikrotik for almost everything
There is a very huge diference about the documentation of both, this is why I like Mikrotik, there are a lot of insignificant documentation about fortigate, there are a lot of pages with useless information
An exaple of useless documentation is something like this:
To create an IPsec VPN do the following: Go to VPN IPsec Click on create new Complete field 1 Complete field 2 Complete field 3 Click finnish
I have find a lot of fortigate pages like this, do you understand why is this useless? Somewhere should say which is every field, which kind of VPN is that, what is this for, etc.
And I think this is why this post take too much time, a lot of suggestion to do useless steps, a lot of ignorance about a lot of fortigate features (I am the first with ignorance)
Of course I find some time some good fortigate documentation but I need to have a very lucky day
I think fortigate should improve its documentation, but this will take a lot of day of work for the people with enought knowledge.
Regards,
Damián
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.