Hello,
have here Problems with port forwarding.
OS 5.2.5 and as of today 5.2.6
I get in the logs as action everytime an timeout.
Setup as described in the tutorial.
Example here now for port 25, but problem also on every other port.
create an VIP with source und target ip, portmap 25
create an policy with
[ul]
On the fortigate i see the following traces
622.741365 69.162.124.233.29529 -> 80.147.204.191.25: syn 202472332
622.741514 69.162.124.233.29529 -> 10.1.0.2.25: syn 202472332
id=20085 trace_id=2 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=6, 69.162.124.233:49021->80.147.204.191:25) from ppp1. flag , seq 1464087726, ack 0, win 8192"
id=20085 trace_id=2 func=init_ip_session_common line=4622 msg="allocate a new session-00004b11"
id=20085 trace_id=2 func=fw_pre_route_handler line=177 msg="VIP-10.1.0.2:25, outdev-ppp1"
id=20085 trace_id=2 func=__ip_session_run_tuple line=2613 msg="DNAT 80.147.204.191:25->10.1.0.2:25"
id=20085 trace_id=2 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.1.0.2 via internal1"
id=20085 trace_id=2 func=fw_forward_handler line=675 msg="Allowed by Policy-4:"
I can telnet from the fortigate to the mailserver behind 10.1.0.2 port 25, and get the connection.
If I switch NAT in the policy on, it works also, but then i don't get the origin IP on the mailserver, only IP from the internal interface.
Some hints? Looks like routing problems, but don't know, where to begin.
hi,
what exactly is your problem? I see from the debug info that the DNAT is working as it should.
Usually you don't enable NAT on such a policy (because you don't have to). This will then preserve the original source IP address.
If i disable NAT i get an timeout from outside, see also no access on the mailserver.
No access WAN to Internal Network
At the moment it looks like the traffic between wan and internal is not forwarded.
If i look in the Traffic Log -> Forward Traffic there is then in the Action "timeout"
ithierack wrote:
I can telnet from the fortigate to the mailserver behind 10.1.0.2 port 25, and get the connection.If I switch NAT in the policy on, it works also, but then i don't get the origin IP on the mailserver, only IP from the internal interface.
If telnet works to the interface and you get a good response from the mail server, the problem is elsewhere.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I agree with Bob, check the settings on the server: default gateway should be the FGT's internal address; check network mask, etc.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.