Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MTCI
New Contributor

ICMP echo (PING) replies from secondary IP address

While helping a client set up a SSH server interface with a healthcare vendor I' ve run into a strange request I' m having difficulty fulfilling. This server is to be accessed via a secondary public IP address. The vendor wants this server to respond to ICMP echo (PING) requests. With a secondary valid public IP address, I’ve set up a Dynamic IP Pool and have used it to create an Internal – WAN policy for the SSH service. Traffic is now reaching the SSH server as intended. I cannot seem to sort through how to get he PING thing working. From the FortiGate I can successfully ping the local IP of the server. With other TCP/UPD services, the typical way to do port forwarding (via VIP) doesn’t cover services such as ICMP. I’ve also tried adding the second Public IP address as a secondary address to the WAN1 interface …but that didn’t work either. Ideas? I’ve not found anything in the Forum that applies.
3 REPLIES 3
Carl_Wallmark
Valued Contributor

Hi, There is only one option: Do a full one-to-one NAT External -> Internal VIP I requested a few years ago to be able to forward ICMP in a VIP....other vendors do this.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
fortigate2

I also have 3 public IP (External IP) and want to reply PING from 2nd and 3rd IP, I have create a 1:1 NAT to 2nd and 3rd public IP in Virtual IP but can' t get PING working on 2nd and 3rd IP, only the 1st Public IP can reply PING, do I need to create Policy for allow PING to 2nd and 3rd public IP?
MTCI
New Contributor

thanks - just spoke to FortiEngineer Ryan Archer who directed me to do this same thing and then refine what gets through via FWP' s with services. ...working now!
Top Kudoed Authors