I have an 80D unit and I want to configure it to allow HTTPS/HTTP/SSH services hosted on 2 difference internal servers. I have been reading a lot of the forums but still can not quite get the 2nd pubic IP to do what I need. To hide my Public IPs a bit I'll use the "Public.56" && "Public.58" as the externally assigned IPv4 addresses
Port 1: Public.56
Port 4: Internal 192.168.242.1
I can successfully port forward 22 (SSH) and 80(HTTP) from Port 1 to Port 4 and to the internal server at 192.168.242.120. This has been working just fine for a while now. No issues there.
I now have a physical 2nd server that also serves up SSH and HTTPS. For reasons beyond my control when accessing the SSH the port MUST be 22 from the outside. Clients have made FW rules on their end for their developers to connect on our port 22. I have 4 more Public IPs available to us so I thought I would fire up another set of physical ports on the 80D:
Port 2: Public.58
Port 3: Internal 10.0.242.1
I need to port forward from Port 2 to Port 3 both port 22(SSH) and port 443 (HTTPS). I thought I set all the objects up appropriately but I get no response from the internal server on either SSH or HTTPS. I have created the proper DNS A list entries at our DNS provider so doing an NSLookup on the name of the server gives back the correct FQDN.
The 2nd Server does have 2 physical ethernet cards installed so it is dual homed. Each port is hooked up to either Port 3 or Port 4 so the networks are bridged, at least for now until I get this figured out. At one point I put in a rule to port forward from Port 2 (Public.58) to Port 4 (Internal 192.168.242.119) but I get a (Reverse Path Forwarding) error and the packets are dropped silently. I used the console and the diag flow to find that error. It seems like I am close but I am very new to these enterprise class devices so I am a bit lost. I can ssh and HTTPS from other computers on either network into the server so it is responding, just can not get anything from the outside in.
Any help is much appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No need to use different physical ports for the public IPs.(Assuming same ISP/subnet)
Create a VIP with the proper public IP > internal IP and assign it to port1 as the interface(same as with the first one)
Then the policy to allow the traffic
No need to use different physical ports for the public IPs.(Assuming same ISP/subnet)
Create a VIP with the proper public IP > internal IP and assign it to port1 as the interface(same as with the first one)
Then the policy to allow the traffic
Thank you for your answer. This also illuminated a slight mis-configuration in the first set of port forwards. I had created the first pair of VIP (Virtual IP) with an "External IP Address/Range" of 0.0.0.0 because that is what I probably found somewhere on the internet and that seemed to work. I have since set the External IP to my "Public.56" instead.
I knew it would be fairly "straight forward" but without that enterprise knowledge on how all of this works I was stumped.
Thanks Again
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.