Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ricardomaguiar
New Contributor

Port Forward in Fortigate 60D (v5.4.6)

I created an IPv4 Policy rule for RDP access to an external server. 
In the field "Source" is set to ALL where access works very well.
Now I want to change the "Source" to an IP of a network, so I created an Addresses with IP / Netmask and changed it in the "Source"
of IPv4 Policy but I can't access it.

Need help!

Ricardo Aguiar
From Brazil
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

If the change is really only the "source" on the policy, either you miscalculated subnet mask or the actual source IP is not what you're thinking. If you run sniffer like "diag sniffer packet any 'net 192.168.0.0/24 and port 3389' 4" while attempting RDP access, you can see the actual source IP address coming from.

 

If they are correct and still the packets don't go out toward the outgoing interface, that's when you need to run "flow debug" to see why they're dropped.

ricardomaguiar

Hi Toshi,

See result below.

172.16.48.4 is my server TS port 3389

192.168.20.254 is a Gateway in Static Router from internal2 interface.

 

# diag sniffer packet any 'net 172.16.48.4/32 and port 3389' 4
interfaces=[any]
filters=[net 172.16.48.4/32 and port 3389]
7.124401 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: syn 2354227045 
7.124709 internal1 in 172.16.48.4.3389 -> 192.168.20.254.58892: syn 2430609721 ack 2354227046 
7.339549 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: ack 2430609722 
7.339663 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: psh 2354227046 ack 2430609722 
7.343909 internal1 in 172.16.48.4.3389 -> 192.168.20.254.58892: psh 2430609722 ack 2354227093 
7.650827 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: ack 2430609741 
9.923764 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: rst 2354227093 ack 2430609741 
Toshi_Esumi

So you originally meant to say ...

"I created an IPv4 Policy rule for RDP access to an internal server (172.16.48.4 connected via internal1) from outside." If that's the case, I see NAT is on at the policy. The server should see the source IP address (outside IP) when the packets arrive. Turn the NAT off then try again.

Toshi_Esumi

Oh, I forgot you mentioned "changing source changes behavior". Probably you took source and destination reversed. In this cause, currently NAT(SNAT) is on at the router and changing source to its own IP. Then all "source" at the FGT's policy should be 192.168.20.254. And the destination is 172.16.48.4 at port 3389.

But once you turn off NAT at the router, you should set the source "all" if it's coming from the internet.

ricardomaguiar

Thanks Toshi.

Problem solved, NAT disable in router wifi.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors