Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bettioool
New Contributor II

Created on ‎05-13-2024 03:28 AM

Connection from VLAN to VIP does not work

Hello everyone,
I am in the following configuration. I have 3 VLANs (which will grow in the future) which host servers offering services (1 per VLAN).

These Servers have configured a VIP One to One, and on the policy an IP Pool with the same IP as the VIP.

If I try to connect from the various servers in these VLANs to the servers' VIP, it does not work.
For example from Server 11 I try to connect to the VIP of Server 21 or 31, the connection does not work

How can I solve this? I attach for simplicity a diagram showing the current configuration.

 

Immagine 2024-05-13 121901.png

These the policy configured for VLAN

 

 

config firewall vip
    edit "VIP Libraesva XXXX"
        set uuid b4f0161e-ea9b-51ee-e7ea-5c6c30663786
        set extip X.X.X.103
        set mappedip "10.X.21.X"
        set extintf "any"
        set color 8
    next
end

config firewall ippool
    edit "IP Pool Libraesva XXX"
        set startip X.X.X.103
        set endip X.X.X.103
    next
end

config firewall policy
    edit 44
        set name "Internet to VIP XXXX Esva HTTPS"
        set uuid 4e622af2-ecfa-51ee-d4d2-7074d2965dca
        set srcintf "virtual-wan-link"
        set dstintf "VLAN-54"
        set action accept
        set srcaddr "all"
        set dstaddr "VIP Libraesva XXXX"
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "g-default"
        set webfilter-profile "g-default"
        set ips-sensor "g-default"
        set application-list "g-default"
        set logtraffic all
    next
end

config firewall policy
    edit 35
        set name "XXXX Esva to Internet"
        set uuid 306ab010-ea9c-51ee-db4f-01ba73aaf031
        set srcintf "VLAN-54"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "VLAN 54 - XXXX Libraesva"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set av-profile "g-default"
        set webfilter-profile "g-default"
        set ips-sensor "g-default"
        set application-list "g-default"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "IP Pool Libraesva XXXX"
    next
end

 

 Thanks

Regards

Labels:
629
0 Kudos
10 REPLIES 10
AEK
SuperUser
SuperUser

Created on ‎05-14-2024 01:20 AM

You are probably looking for hairpin NAT. Check this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

AEK
AEK
59
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.