Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What are the services in this hairpin policy?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Source = ALL
Services = ALL
NAT = OFF
config firewall policy
edit <policy ID>
set match-vip enable
end
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
Selective wrote:I thought that didn't matter if I already have the destination set as the VIP?config firewall policy
edit <policy ID>
set match-vip enable
end
I made that edit and that didn't change anything.
Strange, I use it in our environment, please check the KB:
http://kb.fortinet.com/kb...teId=0%200%20105621158
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
I'm not sure I follow your reasons for using a hairpin here. You stated that your iPhone should only have internet access, and not be able to access anything on the lan. But doesn't a hairpin specifically connects you to the internal IP when you try to connect to the public IP? Are you saying you want to allow only this particular access from the iPhone to your internal network?
You said NAT was off? For which security policies? Hopefully NAT isn't off for the policies where your iPhone is connecting to the wan! I assume your iPhone is going to a specific public IP for the Exchange Server? And the hairpin you're using tries to have the iPhone's attempt to connect to the external IP of the mail server get routed back to it's internal IP?
Assuming you still want the hairpin given the above, you probably need to track down if your issue is routing or security policies. Try the access and check the logs.
Have you created both outgoing and incoming security policies for the hairpin NAT?
As Selective mentioned:
Are you following the steps from http://kb.fortinet.com/kb/documentLink.do?externalID=FD36202?
Thanks - I went over that doc previously and that's what I used to make my hairpin policy.
I might be on the wrong track here with the hairpin, but that's what support told me I needed.
What I need to accomplish:
From the Pubic-WIFI, my iPhone needs to connect to my Exchange server so I get mail.
Selective wrote:
You said NAT was off? For which security policies? Hopefully NAT isn't off for the policies where your iPhone is connecting to the wan! I assume your iPhone is going to a specific public IP for the Exchange Server? And the hairpin you're using tries to have the iPhone's attempt to connect to the external IP of the mail server get routed back to it's internal IP?
NAT is only off on the hairpin policy. Like I said I can get to the internet just fine, so I'm having a difficult time understanding why it's just internal email that won't work. If I'm in the Internet, shouldn't my phone be checking a public DNS to get my mail server ip, then just route traffic to that?
My DNS for email is my public IP, could that be causing a routing conflict?
Your policies do look fine to me as well - if your configuration really matches your description.
dan231 wrote:From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.
Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?
What happens to the HTTPS packets?
localhost wrote:Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?
What happens to the HTTPS packets?
When I do sniffer traffic with my iphone IP, I see no traffic listed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.