Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ck0m0pox
New Contributor

One way pings

Dear colleagues, hello.

 

I have:

1. Fortigate, where terminates several networks

2. Mostly - they all are isolated from one another

3. I need an access from a specific IP A to IP B from from Network A to Network B and vice verse

4. I've created mirroring policies, allowing traffic from Source IP A from incoming Interface A to Destination IP B from outgoing Interface B and created second policy, where changed places and source is B and destination is A.

5. I can ping from A to B, but can not from B to A. 

 

No polocies above, that can deny that.

Any clues?

Thank you!

9 REPLIES 9
Toshi_Esumi
SuperUser
SuperUser

You didn't mention about interfaces, if A and B are connected on two different interfaces, or VLAN subinterfaces, etc. But if so, I would sniff on interface for A while pinging from B to see if they're going out. If not going out, it's time to run "flow debug" to see why the FGT drops them. You can find many discussions and articles about flow debug on the internet.

sw2090

Also mind the order of your policies! POlicies are handled top-down and the first match wins the packet. So if there is a policy that matches the packet and blocks it in front of you mentioned ones then it will be hit instead!

Also reverse Policy is only needed it connections shall be initiated from both sides. 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Ck0m0pox

Thank you fro the responses.

@Toshi, A and B are both on different VLAN subs, although it's one physical.

@sw2090 can I debug somehow to check what policy treats the exact traffic from host A ot host B? Thank you!

Ck0m0pox

BTW is it possible to use Virtual IP option to conigure direct port mapping for internal IPs? If I want to keep port from IP A:2002 (example) to IP B:2002 and vice verse?

 

sw2090

You could use policy lookup on web gui to check this.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Ck0m0pox

Could you please advise me, as I can't figure that bymyslef. How can I keep a port in local tcp session between two IPs 192.168.10.10 and 172.18.1.1 for example? I see on an end device, taht session was start from port 9002 but on a destination address it goes to 60601 for example. And I need exact mah 9002 -> 9002. I have NAT enabled and "preserve source port" as well. Can I do it via Virtual IP port mapping?

Benoit_Rech_FTNT

Hello,

you can configure the ports to have an exact match 9002 -> 9002. You should follow this KB : https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD48438 Best regards Benoit

Ck0m0pox

@Benoit but will it work for internal IPs, that are local for Fortigate, there is no need to map external IPs (public) to local. I need to map LOCAL - LOCAL. Thank you in advance

Benoit_Rech_FTNT

Hello,

the KB shows external to internal IPs, but you can apply this KB to internal (or local) subnets. basically, it's doing static NAT  between your 2 networks. But, from what you request at the beginning of the post, you need to access server B (192.168.10.30) from server A (172.18.1.10) , which are located on subnetB (192.168.10.10 on the FGT) and subnetA  (172.18.1.1 on the FGT). * serverB: configure either a defaut route, or a /32 route to 172.18.1.10 through 192.168.10.10 * serverA: configure either a default route, or a /32 route to 192.168.10.30 through 172.18.12.10 * configure firewall policy or policies if both networks can be source network. If you don't use NAT, then your original ports will be kept. Otherwise, you can follow the KB, and have static NAT.

Benoit    

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors