Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
syldor
New Contributor

External access to web server

Hi there,

 

I'm trying to allow external access to an internal web server controlled by a Fortigate 300D unit.

I have a web server at internal address 10.18.1.22 listening on port 3000. Access ok from the network.

My network only has one external ip address EXT_IP (that i can see when going on whatismyip.com).

I want to open external access to the server so I did the following:

[ul]
  • Create a virtual IP[/ul]

    External IP Address: EXT_IP

    Mapped IP Address: 10.18.1.22

    External Service Port: 3000-3000

    Map to Port: 3000-3000

     

    [ul]
  • Create a new policy (IPv4)[/ul]

    Incoming interface: Port 2 (External)

    Source Address: all

    Outgoing Interface: Port 1 (Internal)

    Destination Address: My Virtual IP

    Service: HTTP, HTTPS

     

    Additional information:

    Port 2 (External) is an interface with address EXT_IP and PING, HTTPS and HTTP access.

     

    I thought that with this configuration, I could go to:

    http://EXT_IP:3000 and access my web server, but it's not the case, nothing happens.

     

    What am I missing ? 

     

    Many thanks, 

     

     

  • 13 REPLIES 13
    Shridhar
    New Contributor

    Make below changes in policy.

     

    Incoming interface: Port 2 (External) Source Address: all Outgoing Interface: Port 1 (Internal) Destination Address: My Virtual IP Service: PORT_3000

    syldor

    Do you mean creating a service with port 3000 redirection ? 

    Actually I tried Service: all and all_udp and it's still not working.

    Should I wait between updating rules and trying to access with my browser ?

    Thanks anyway, 

     

    Shridhar

    Just create a new service Port_3000 service in the firewall, & attached that service in policy.

    If you allowed all so it wont work.

    syldor

    Thanks Shridar but still no luck with the PORT_3000 service:

     

    Maybe some clues:

    My EXT_IP is the one of my physical interface open to internet, but on the configuration, I see a mask of 255.255.255.248, is it possible for a public IP address ? (I mean not to be 255.255.255.255).

    Shridhar

    Hi,

     

    Please don't define the Source Port in the Service & test.

     

    Regards,

    Shridhar

    Shridhar

     

    Shridhar

    Please see the below service, like you create the service & test

    syldor
    New Contributor

    Still no luck ...

    emnoc
    Esteemed Contributor III

    The diag debug flow is your friend but you probably don't have the  firewall-policy and/or forwarding vip working correctly. If this is a https website ,you might be best to  just redirect  x.x.x.x:443 to internal:3000 ( just a thought )

     

    Run diag debug flow with a filter of the internal server and validate the policy.

     

    e.g

     

    diag debug reset

    diag debug enable

    diag debug flow filter port 3000

    diag debug flow show console enable

    diag debug flow trace start 100

     

     

    Don't for get to disable after testing;

     

    diag debug dis

     

    Ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors