i have the following setup
Site A -> Has static public ip
Site B -> Has no public ip
The two sites are connected via Ipsec. I am trying to do a port forwarding over public IP while the VM itself is located in Site B.
I can't see to get it to work. Moreover, when doing a ping I can ping it and telenet from any machine located within Site A. But can't do it from the fortigate console itself.
Any advise plz?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @gassoraba ,
If I understand correctly, you are trying to access the server in site B using the public IP address on site A. This should work without any problems. Is it possible for you to share with us the configurations you have made to understand where the problem is?
Hi @ozkanaltas ,
My config is as follows:
I have site A - Site B IPsec over the dedicated subnet. The public IP is going to Site A On Wan2 interface.
From there I added a virtual IP pointing to my local VM located in Site B over port 8062 And added a firewall policy between wan 2 and the virtual IP for all services without NAT
Don't know if I am missing something
Hi @gassoraba ,
You said that there is no public IP on Site B, so you should configure DNAT on Site A. After this configuration, traffic can reach site B via ipsec.
A configuration should be made as follows. I gave IP addresses as an example. In the texts below the boxes, I indicated what should be defined on which device.
Hi @ozkanaltas ,
Thank you so much for the detailed walkthrough. Unfortunately, i am still having the same issue i have the done the following:
- Virtual IP (My Local Server) on Site A -> (WAN - IPSEC)
- Virtual IP (My Local Server) on Site B -> (IPSEC - VIRTUAL IP)
still, it's unable to resolve it or reach it. What I have also noticed is if do "exec ping my local server IP" on Site A fortigate it won't resolve
Hi @gassoraba ,
Why do you need to configure a virtual IP on Site B?
If you did a virtual IP configuration to the application server IP on Site A that should be enough.
If you can't reach the application server from site A you need to check the ipsec phase 2 configuration. Maybe this server IP address didn't add phase 2 configuration.
Hi @ozkanaltas ,
I removed the Virtual IP form Site B but it's not able to reach it. To clarify I can reach the application server from site A from any of the machines. It's juse from the fortigate itself can't ping it
So Any machine in Site A can ping the application server
Fortigate in Site A can't ping the application server
Hi @gassoraba ,
Fortigate may be trying to ping from the management IP address, and if this IP address is not included in the IPsec configuration, Fortigate will not be able to ping. You can try to ping by giving the source ip from any subnet that can ping.
execute ping-option source x.x.x.x
execute ping x.x.x.x
The problem is probably related to routing. Can you configure SNAT in the rule you defined on the Site A side? NAT IP address can be any IP address that can reach the other side.
If it possible can you share configuration with us?
Seems like the SNAT worked. Thank you so much
Hi @gassoraba ,
I'm glad it was resolved.:)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1661 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.