Created on 07-29-2011 12:15 PM
I have created a Firewall Policy allowing all hosts on the WAN to connect to the test server using the Custom Service. “Enable NAT†is not checked.And if your DMZ server runs with a private IP address like ' 192.168.x.y' , how would a host on the internet determine the route back to it? You definitively need to check the NAT option in the outgoing policy here. There is one special case here: if traffic is coming in to a VIP, and the VIP is NOT port forwarding, then the return traffic will be source NAT' ted automatically when traversing the VIP. But in no case will traffic originating from the DMZ server be NAT' ted unless you enable the NAT option.
I have created two firewall policies to allow all traffic from the LAN to the WAN and from the LAN to the DMZ. Both of these are “Enable NAT†and “Log allowed trafficâ€.The traffic from LAN to DMZ does not need (source) NAT as the route back to the LAN is well known to the FGT - it' s directly connected. As it is configured now all traffic from LAN to DMZ appears to come from the LAN' s interface IP. You don' t need a custom service definition for an allready predefined service. HTTP will do. Please delete the ' wan->wan' policy immediately if not already done. Please try to change your config accordingly and report back. If you do, please include the VIP definition, the static routes and the policy (get them from the CLI). The Traffic log is not the appropriate tool to debug this. Fortigates come with a built-in sniffer (tcpdump alike). But you probably won' t need it now. Do you have the FortiOS Handbook for your FortiOS version? You get it at http://docs.fortinet.com . All the major concepts are clearly laid out there and a lot of realworld examples given. If unsure come back to the forum.
Created on 08-01-2011 12:11 PM
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.