Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gassoraba
New Contributor

Port Fowarding over site to site VPN

i have the following setup

Site A -> Has static public ip

Site B -> Has no public ip

 

The two sites are connected via Ipsec. I am trying to do a port forwarding over public IP while the VM itself is located in Site B. 

 

I can't see to get it to work. Moreover, when doing a ping I can ping it and telenet from any machine located within Site A. But can't do it from the fortigate console itself. 

 

Any advise plz?

9 REPLIES 9
ozkanaltas
Valued Contributor III

Hello @gassoraba ,

 

If I understand correctly, you are trying to access the server in site B using the public IP address on site A. This should work without any problems. Is it possible for you to share with us the configurations you have made to understand where the problem is?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
gassoraba

Hi @ozkanaltas ,

 

My config is as follows:

 

I have site A - Site B IPsec over the dedicated subnet. The public IP is going to Site A On Wan2 interface. 

 

From there I added a virtual IP pointing to my local VM located in Site B over port 8062 And added a firewall policy between wan 2 and the virtual IP for all services without NAT

 

Don't know if I am missing something

ozkanaltas
Valued Contributor III

Hi @gassoraba ,

 

You said that there is no public IP on Site B, so you should configure DNAT on Site A. After this configuration, traffic can reach site B via ipsec.

 

A configuration should be made as follows. I gave IP addresses as an example. In the texts below the boxes, I indicated what should be defined on which device.

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
gassoraba

Hi @ozkanaltas ,

 

Thank you so much for the detailed walkthrough. Unfortunately, i am still having the same issue i have the done the following:

 

- Virtual IP (My Local Server) on Site A -> (WAN - IPSEC)

- Virtual IP (My Local Server) on Site B -> (IPSEC - VIRTUAL IP)

 

still, it's unable to resolve it or reach it. What I have also noticed is if do "exec ping my local server IP" on Site A fortigate it won't resolve 

ozkanaltas
Valued Contributor III

Hi @gassoraba ,

 

Why do you need to configure a virtual IP on Site B?

 

If you did a virtual IP configuration to the application server IP on Site A that should be enough.  

 

If you can't reach the application server from site A you need to check the ipsec phase 2 configuration. Maybe this server IP address didn't add phase 2 configuration.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
gassoraba

Hi @ozkanaltas ,

 

I removed the Virtual IP form Site B but it's not able to reach it. To clarify I can reach the application server from site A from any of the machines. It's juse from the fortigate itself can't ping it

 

So Any machine in Site A can ping the application server

Fortigate in Site A can't ping the application server

ozkanaltas
Valued Contributor III

Hi @gassoraba ,

 

Fortigate may be trying to ping from the management IP address, and if this IP address is not included in the IPsec configuration, Fortigate will not be able to ping. You can try to ping by giving the source ip from any subnet that can ping.

 

execute ping-option source x.x.x.x
execute ping x.x.x.x

 

The problem is probably related to routing. Can you configure SNAT in the rule you defined on the Site A side? NAT IP address can be any IP address that can reach the other side.

 

If it possible can you share configuration with us?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
gassoraba

Seems like the SNAT worked. Thank you so much

ozkanaltas
Valued Contributor III

Hi @gassoraba ,


I'm glad it was resolved.:) 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors