Hi Gurus,
I have problem in my rules from LAN (private IP) to LAN (public IP)/(private IP). My FG-1500D has 4 ports used, single VDOM, FOS 5.2.2 (GA).
port26 - connected to ISP
port22 - connected to 103.x.x.x/25
port23 - connected to 172.27.18.0/24
port34 - create some vlans, i.e 172.27.1.0/24, 172.27.2.0/24, etc
I have static route to internet, via port26. I have all routing for all ip subnet and ports in monitor, and look works correctly. I have policies:
1. from all ports to port26, its working properly
2. from port26 to port22, its working properly
3. from port34 (vlans) to port22, it DOES NOT work
4. from port34 (vans) to port23, it DOES NOT work
5. from port23 to port22, it DOES NOT work
I need some advises to solve this problem..
Many thanks,
Regards,
Daniel
Regards,
Daniel
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I also 2nd the diag debug flow but also ensure if your using DHCP dynamic that you gave the right next-hop gateway out to your clients in the lans that don't work. But it seems like your problem are all 802.1q tagged subinterfaces so I'm guessing you should start at layer2. So have you ensured these are are correct configured in the layer2 setup and switch?
Can a host in the vlanXXX ping the fortigate L3 interface address in vlanXXX ( ensure allowacces ping is enabled )?
Can you source a ping from the fgt using the L3 subinterface address on vlanXXX and ping the outh lans or private/public ip
e.g
execute ping-option source x.x.x.x
execute ping y.y.y.y ( with y.y.y.y being an address on internet or another interface )
PCNSE
NSE
StrongSwan
emnoc wrote:I also 2nd the diag debug flow but also ensure if your using DHCP dynamic that you gave the right next-hop gateway out to your clients in the lans that don't work. But it seems like your problem are all 802.1q tagged subinterfaces so I'm guessing you should start at layer2. So have you ensured these are are correct configured in the layer2 setup and switch?
Can a host in the vlanXXX ping the fortigate L3 interface address in vlanXXX ( ensure allowacces ping is enabled )?
Can you source a ping from the fgt using the L3 subinterface address on vlanXXX and ping the outh lans or private/public ip
e.g
execute ping-option source x.x.x.x
execute ping y.y.y.y ( with y.y.y.y being an address on internet or another interface )
Hi,
Yes, I am using DHCP for wifi clients. And create some vlans in port34, each vlan has its ip address act as gateway for the lan.
I can't get the result from:
execute ping-option source 172.27.25.1
execute ping 8.8.8.8 ( with y.y.y.y being an address on internet or another interface )
BUT my clients on that subnet can access internet normally, just cannot access to port22 and port23..
I have a good news, from now I can traceroute to subnet 103.x.x.0/25 lay on port22 and also ping.
for the other port23, its 172.27.18.0/24 still cannot reach from vlans in port34..
regards,
Daniel
Regards,
Daniel
msg="DNAT 103.229.203.2:40048->172.27.212.100:40048"
Firewall is doing destination nat that means there is vip configured for 103.229.203.2.
Please check the vip configuration if this is created by mistake.
Also have you set the interface as any for vip.
If you delete the vip the traffic should work.
Post the vip configuration if you need help.
2015-02-19 05:49:38 id=20085 trace_id=281 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.25.81:1->172.27.18.102:8) from vlan_26_puskom. code=8, type=0, id=1, seq=3188." 2015-02-19 05:49:38 id=20085 trace_id=281 func=init_ip_session_common line=4522 msg="allocate a new session-006986f1" 2015-02-19 05:49:38 id=20085 trace_id=281 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.27.18.102 via vlan_19_server" 2015-02-19 05:49:38 id=20085 trace_id=281 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 0)"
If this is the packet than check the following:
1)Do you have policy between vlan_26_puskom and vlan_19_server?
2) Is the service set to All (check if all has protocol any, not only tcp)
3) Is the incoming and outgoing interface correct as per design
ashukla wrote:2015-02-19 05:49:38 id=20085 trace_id=281 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.25.81:1->172.27.18.102:8) from vlan_26_puskom. code=8, type=0, id=1, seq=3188." 2015-02-19 05:49:38 id=20085 trace_id=281 func=init_ip_session_common line=4522 msg="allocate a new session-006986f1" 2015-02-19 05:49:38 id=20085 trace_id=281 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.27.18.102 via vlan_19_server" 2015-02-19 05:49:38 id=20085 trace_id=281 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 0)"
If this is the packet than check the following:
1)Do you have policy between vlan_26_puskom and vlan_19_server?
2) Is the service set to All (check if all has protocol any, not only tcp)
3) Is the incoming and outgoing interface correct as per design
Hi Ashukla,
I'm sorry forgot to change the policy. Last night I change the port type from physical type (port23) become vlan type (vlan_19_server) on port23, but not change the policy. Now, I can reach those area (vlan_19_server, servers in 172.27.18.0/24).
But, I still have question about policy "from ANY to port22". Since first time create this policy, it does not work. When tracing to servers in this area (connected to port22), always redirect to internet (port26). But last night when I come to site and test the connection.., it works.
Thank you for your response..., also thanks to all of you that response to my case.
By now, my cases are solve.
Regards,
Daniel
Regards,
Daniel
Hello Daniel,
That could be due to the existing session on the Fortigate. Clearing the session before testing might have helped to confirm the behavior.
Cheers
Hi,
I have problem accessing port22, some IP address accessible but some can not reach. I can ping from FGT's interface to the servers. But only some IP response from other side (LAN). Here is the capture from debug..
2015-02-20 19:15:29 id=20085 trace_id=453 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.219.254:34075->103.229.202.78:8) from vlan_staf_aruba. code=8, type=0, id=34075, seq=16." 2015-02-20 19:15:29 id=20085 trace_id=453 func=init_ip_session_common line=4522 msg="allocate a new session-0214e4ad" 2015-02-20 19:15:29 id=20085 trace_id=453 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Need your help ASAP.. thank you.
Daniel
Regards,
Daniel
teri.ireng wrote:Hi,
I have problem accessing port22, some IP address accessible but some can not reach. I can ping from FGT's interface to the servers. But only some IP response from other side (LAN). Here is the capture from debug..
2015-02-20 19:15:29 id=20085 trace_id=453 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.219.254:34075->103.229.202.78:8) from vlan_staf_aruba. code=8, type=0, id=34075, seq=16." 2015-02-20 19:15:29 id=20085 trace_id=453 func=init_ip_session_common line=4522 msg="allocate a new session-0214e4ad" 2015-02-20 19:15:29 id=20085 trace_id=453 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Need your help ASAP.. thank you.
Daniel
Check if you have any ip-pool configured for ip 103.229.202.78.
Check if ip-pool range contains this ip and if so remove it.
ashukla wrote:teri.ireng wrote:Hi,
I have problem accessing port22, some IP address accessible but some can not reach. I can ping from FGT's interface to the servers. But only some IP response from other side (LAN). Here is the capture from debug..
2015-02-20 19:15:29 id=20085 trace_id=453 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.219.254:34075->103.229.202.78:8) from vlan_staf_aruba. code=8, type=0, id=34075, seq=16." 2015-02-20 19:15:29 id=20085 trace_id=453 func=init_ip_session_common line=4522 msg="allocate a new session-0214e4ad" 2015-02-20 19:15:29 id=20085 trace_id=453 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Need your help ASAP.. thank you.
Daniel
Check if you have any ip-pool configured for ip 103.229.202.78.
Check if ip-pool range contains this ip and if so remove it.
Hi,
Yes I have those ip-pool, its mistypo should be .203.78
It solved the problem.
Thank you.
Daniel
Regards,
Daniel
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1500 | |
1009 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.