Hello,
we have two Fortigate 100D (HA Cluster)
v5.0,build0292 (GA Patch 9)
We uses Swyx Server in our Enviroment. I installed a dedicated VM - Swyx - Remote Connector Server. We want to use the Services for our Cellphones when we out of the Office. Cellphone can use Swyx Mobile and make calls over the Server. The Connector needs 2 Ports : 9101 for Authentication and 16203 for Remote Connector for Swyx.
So i configured Port Forwarding on the Fortinet.
Creating 2 Services
One with the Port 9101 and the other with Port 16203. Both are TCP Ports.
Creating 2 Adresses
1.
Name: Swyx RC
xxx.xxx.xxx.xxx one Public IP, which one have a Subdomain Name (nessesary for Users )
2.
Name: Swyx RC Server
192.168.xxx.xxx for the private Remote Connector Server Address
Both : Interface Any
Creating 2 VIPs
1.
Swyx Remote Connector
Type Static NAT
External IP - Swyx RC (as described above under Adresses)
Mapped IP - the private Remote Connector Server Address
Port Forwarding enabled
Protocol TCP
External Service Port -16203 - 16023
Map To Port - 16203 - 16203
2.
Swyx-Authent
Type Static NAT
External IP - Swyx RC (as described above under Adresses)
Mapped IP - the private Remote Connector Server Address
Port Forwarding enabled
Protocol TCP
External Service Port - 9101 - 9101
Map To Port - 9101 - 9101
Created a Policy
Policy Type -Firewall
Policy Subtype - Address
Incoming Interface - wan1
Source Adress - Swyx RC (as described above under Adresses)
Outgoing Interface - internal
Destination Address - Swyx RC and Swyx Remote Connector Server i created (as described above under Adresses)
Schedule - always
Service - Swyx Remote Connector and Swyx Authent (as described above under Services)
Action - Accept
Enable NAT
##########
The Swyx Mobile wont work. The Ports are not open. Tested with Portscanner from Extern.
I disable the NAT Option, but it wont work.
Anybody have a Idea what is here the Problem? Where is the thought mistake?
Regards and thanks for Help
Xris
For the destination put the VIP(or VIP group)
The destination can't be the internal IP address object.(For this scenario you don't need the local IP address object at all)
in my scenario the Destination is the VIP already, one is the internal ip and the other is the Public IP
ok, i put the internal object away and disable nat, source i use now all
But it wont work
the source address is wrong, you need to use the source IP of users which access to the ressource, any if unknown
the destination address is wrong, you need to use the VIP
Your VIP need to be associated with your Wan1 interface
You do not nedd to enable nat
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.