Problem to have acces to server behind a fortigate

Alex2 · ‎06-15-2023

Hello,

Hope you are fine

I have a problem to access a private IP server 172.31.X.X/20 behind a fortigate which has the public IP 1111.1111.1111.1111/32 and my server is supposed to be an smpp server but I can't have access from then outside, I configured the virtual IP to redirect incoming traffic on the public IP to my server at the corresponding port.

Please I really need help.

PS: I configured a VPN which works normally with private addresses but our client only works with public addresses

ebilcari · ‎06-15-2023

You have to also create a firewall policy from WAN port to internal port and use VIP object as the destination:

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Alex2 · ‎06-19-2023

Hello ebilcari,

I already did it, I created a virtual IP for my server and I went to the firewall policies to accept traffic to my server but it still doesn't work

ebilcari · ‎06-19-2023

than two other things to check:

- in VIP configuration if you choose an interface you have to choose the WAN interface

- If the SNMP server is accepting traffic from specific source IP you have to disable NAT in above firewall policy.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Alex2 · ‎06-19-2023

I choose the wan interface and the NAT is disable on the rule policy

ebilcari · ‎06-19-2023

Are you using this setup to send SNMP traps from outside devices via public IPs to the server or does this server actively query the public devices?

If it used to receive traps remember that the port for SNMP traps is 162. If it's used for query than no port fwd is needed, just check if the devices allow the SNMP requests coming from this public IP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Alex2 · ‎06-19-2023

I use this setup to use an smpp server on port 2777 but I can't have access from then outside

ede_pfau · ‎06-15-2023

Also, note that you cannot ping the real server from outside if you have port forwarding enabled. ICMP does not use ports, and thus is not propagated.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

knagaraju · ‎06-19-2023

Hello Alex2,
In this case, I suggest you to capture the flow debugs to have a complete picture on what is happening at the backend.

Please run the below commands in fortigate cli
diagnose debug reset
diagnose debug flow filter addr x.x.x.x ---Where x.x.x.x is the actual public ip of the source user from where you are initiating the traffic.
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable

Please initiate the traffic.

Then please disable the debugs witht the below commands
diagnose debug disable
diagnose debug reset

Regards
Nagaraju.

Alex2 · ‎06-19-2023

I try those command and i have this

id=65308 trace_id=1003 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"
id=65308 trace_id=1004 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, x.x.x.x:4500-> lan port:4500) tun_id=0.0.0.0 from WAN. "
id=65308 trace_id=1004 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, reply direction"
id=65308 trace_id=1005 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, lan port:4500-> x.x.x.x:4500) tun_id=0.0.0.0 from local. "
id=65308 trace_id=1005 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"