Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ingo__T
New Contributor

Portforwarding (smtp,http,...) result in timeouts

Hello,

 

have here Problems with port forwarding.

OS 5.2.5 and as of today 5.2.6

I get in the logs as action everytime an timeout.

 

Setup as described in the tutorial.

Example here now for port 25, but problem also on every other port.

 

create an VIP with source und target ip, portmap 25

create an policy with

[ul]
  • incomming wan2
  • source address all
  • outgoing internal1
  • Destination to the VIP
  • Service SMTP
  • NAT is off[/ul]

     

    On the fortigate i see the following traces

    622.741365 69.162.124.233.29529 -> 80.147.204.191.25: syn 202472332
    622.741514 69.162.124.233.29529 -> 10.1.0.2.25: syn 202472332

    id=20085 trace_id=2 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=6, 69.162.124.233:49021->80.147.204.191:25) from ppp1. flag , seq 1464087726, ack 0, win 8192"
    id=20085 trace_id=2 func=init_ip_session_common line=4622 msg="allocate a new session-00004b11"
    id=20085 trace_id=2 func=fw_pre_route_handler line=177 msg="VIP-10.1.0.2:25, outdev-ppp1"
    id=20085 trace_id=2 func=__ip_session_run_tuple line=2613 msg="DNAT 80.147.204.191:25->10.1.0.2:25"
    id=20085 trace_id=2 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.1.0.2 via internal1"
    id=20085 trace_id=2 func=fw_forward_handler line=675 msg="Allowed by Policy-4:"

     

    I can telnet from the fortigate to the mailserver behind 10.1.0.2 port 25, and get the connection.

    If I switch NAT in the policy on, it works also, but then i don't get the origin IP on the mailserver, only IP from the internal interface.

     

     

    Some hints? Looks like routing problems, but don't know, where to begin.

     

     

     

     

  • 4 REPLIES 4
    ede_pfau
    Esteemed Contributor III

    hi,

     

    what exactly is your problem? I see from the debug info that the DNAT is working as it should.

    Usually you don't enable NAT on such a policy (because you don't have to). This will then preserve the original source IP address.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    Ingo__T

    If i disable NAT i get an timeout from outside, see also no access on the mailserver.

    No access WAN to Internal Network

    At the moment it looks like the traffic between wan and internal is not forwarded.

    If i look in the Traffic Log -> Forward Traffic there is then in the Action "timeout"

     

    rwpatterson
    Valued Contributor III

    ithierack wrote:
    I can telnet from the fortigate to the mailserver behind 10.1.0.2 port 25, and get the connection.

    If I switch NAT in the policy on, it works also, but then i don't get the origin IP on the mailserver, only IP from the internal interface.

    If telnet works to the interface and you get a good response from the mail server, the problem is elsewhere.

    Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
    ede_pfau
    Esteemed Contributor III

    I agree with Bob, check the settings on the server: default gateway should be the FGT's internal address; check network mask, etc.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    Labels
    Top Kudoed Authors