Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dan231
New Contributor

Looking for help with a hairpin route/policy

Setup: Internal MS Exchange Server FortiWIFI (vlan'd from the internal network for guest access to the Internet) Fortigate FW Iphone with ActiveSync email access to MS Exchange   Internet = WAN1 Internal Network = WAN2 Public-WIFI = VLAN on WAN2 VIP = External IP --> Mail server (any int)   I have all my routes and policies setup so from my iPhone I can get WIFI internet AND not see any internal devices. The problem is that I cannot get email access on my iPhone.  I now have a hairpin that I believe should work but doesn't.  From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.   Current Hairpin policy: Public-WIFI (VLAN on WAN2) --> WAN2 (internal) with Destination of my VIP   I've been stuck at this for over a week and I can't wrap my head around this. I have a support ticket open and have reviewed the Fortigate docs on hairpin set.
19 REPLIES 19
rwpatterson
Valued Contributor III

What are the services in this hairpin policy?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
dan231

Source = ALL

Services = ALL

NAT = OFF

Carl_Wallmark

config firewall policy

edit <policy ID>

set match-vip enable

end

 

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
dan231

Selective wrote:

config firewall policy

edit <policy ID>

set match-vip enable

end

I thought that didn't matter if I already have the destination set as the VIP?

I made that edit and that didn't change anything.

Carl_Wallmark

Strange, I use it in our environment, please check the KB:

 

http://kb.fortinet.com/kb...teId=0%200%20105621158

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
tanr
Valued Contributor II

I'm not sure I follow your reasons for using a hairpin here.  You stated that your iPhone should only have internet access, and not be able to access anything on the lan.  But doesn't a hairpin specifically connects you to the internal IP when you try to connect to the public IP?  Are you saying you want to allow only this particular access from the iPhone to your internal network?

 

You said NAT was off?  For which security policies?  Hopefully NAT isn't off for the policies where your iPhone is connecting to the wan!  I assume your iPhone is going to a specific public IP for the Exchange Server?  And the hairpin you're using tries to have the iPhone's attempt to connect to the external IP of the mail server get routed back to it's internal IP?

  

Assuming you still want the hairpin given the above, you probably need to track down if your issue is routing or security policies.  Try the access and check the logs.

 

Have you created both outgoing and incoming security policies for the hairpin NAT?

As Selective mentioned:  

Are you following the steps from http://kb.fortinet.com/kb/documentLink.do?externalID=FD36202?

 

dan231
New Contributor

Thanks - I went over that doc previously and that's what I used to make my hairpin policy.

I might be on the wrong track here with the hairpin, but that's what support told me I needed.

 

What I need to accomplish:

From the Pubic-WIFI, my iPhone needs to connect to my Exchange server so I get mail. 

 

Selective wrote:
You said NAT was off?  For which security policies?  Hopefully NAT isn't off for the policies where your iPhone is connecting to the wan!  I assume your iPhone is going to a specific public IP for the Exchange Server?  And the hairpin you're using tries to have the iPhone's attempt to connect to the external IP of the mail server get routed back to it's internal IP?

 

NAT is only off on the hairpin policy.  Like I said I can get to the internet just fine, so I'm having a difficult time understanding why it's just internal email that won't work.  If I'm in the Internet, shouldn't my phone be checking a public DNS to get my mail server ip, then just route traffic to that?

 

My DNS for email is my public IP, could that be causing a routing conflict?

 

 

 

 

 

localhost
Contributor III

Your policies do look fine to me as well - if your configuration really matches your description.

 

dan231 wrote:

From my iPhone, I can ping my mail server by name, but a tracert stops at the first hop: the FortiWIFI.

 

Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?

What happens to the HTTPS packets?

dan231

localhost wrote:

Do the ping packets really go out to your mail server? Have you confirmed this by sniffing on the Fortigate?

What happens to the HTTPS packets?

When I do sniffer traffic with my iphone IP, I see no traffic listed. 

Top Kudoed Authors