Hello,
Hope you are fine
I have a problem to access a private IP server 172.31.X.X/20 behind a fortigate which has the public IP 1111.1111.1111.1111/32 and my server is supposed to be an smpp server but I can't have access from then outside, I configured the virtual IP to redirect incoming traffic on the public IP to my server at the corresponding port.
Please I really need help.
PS: I configured a VPN which works normally with private addresses but our client only works with public addresses
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You have to also create a firewall policy from WAN port to internal port and use VIP object as the destination:
Hello ebilcari,
I already did it, I created a virtual IP for my server and I went to the firewall policies to accept traffic to my server but it still doesn't work
than two other things to check:
- in VIP configuration if you choose an interface you have to choose the WAN interface
- If the SNMP server is accepting traffic from specific source IP you have to disable NAT in above firewall policy.
I choose the wan interface and the NAT is disable on the rule policy
Are you using this setup to send SNMP traps from outside devices via public IPs to the server or does this server actively query the public devices?
If it used to receive traps remember that the port for SNMP traps is 162. If it's used for query than no port fwd is needed, just check if the devices allow the SNMP requests coming from this public IP.
I use this setup to use an smpp server on port 2777 but I can't have access from then outside
Also, note that you cannot ping the real server from outside if you have port forwarding enabled. ICMP does not use ports, and thus is not propagated.
Hello Alex2,
In this case, I suggest you to capture the flow debugs to have a complete picture on what is happening at the backend.
Please run the below commands in fortigate cli
diagnose debug reset
diagnose debug flow filter addr x.x.x.x ---Where x.x.x.x is the actual public ip of the source user from where you are initiating the traffic.
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable
Please initiate the traffic.
Then please disable the debugs witht the below commands
diagnose debug disable
diagnose debug reset
Regards
Nagaraju.
I try those command and i have this
id=65308 trace_id=1003 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"
id=65308 trace_id=1004 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, x.x.x.x:4500-> lan port:4500) tun_id=0.0.0.0 from WAN. "
id=65308 trace_id=1004 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, reply direction"
id=65308 trace_id=1005 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, lan port:4500-> x.x.x.x:4500) tun_id=0.0.0.0 from local. "
id=65308 trace_id=1005 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.