- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem to have acces to server behind a fortigate
Hello,
Hope you are fine
I have a problem to access a private IP server 172.31.X.X/20 behind a fortigate which has the public IP 1111.1111.1111.1111/32 and my server is supposed to be an smpp server but I can't have access from then outside, I configured the virtual IP to redirect incoming traffic on the public IP to my server at the corresponding port.
Please I really need help.
PS: I configured a VPN which works normally with private addresses but our client only works with public addresses
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to also create a firewall policy from WAN port to internal port and use VIP object as the destination:
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ebilcari,
I already did it, I created a virtual IP for my server and I went to the firewall policies to accept traffic to my server but it still doesn't work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
than two other things to check:
- in VIP configuration if you choose an interface you have to choose the WAN interface
- If the SNMP server is accepting traffic from specific source IP you have to disable NAT in above firewall policy.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I choose the wan interface and the NAT is disable on the rule policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using this setup to send SNMP traps from outside devices via public IPs to the server or does this server actively query the public devices?
If it used to receive traps remember that the port for SNMP traps is 162. If it's used for query than no port fwd is needed, just check if the devices allow the SNMP requests coming from this public IP.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use this setup to use an smpp server on port 2777 but I can't have access from then outside
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, note that you cannot ping the real server from outside if you have port forwarding enabled. ICMP does not use ports, and thus is not propagated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Alex2,
In this case, I suggest you to capture the flow debugs to have a complete picture on what is happening at the backend.
Please run the below commands in fortigate cli
diagnose debug reset
diagnose debug flow filter addr x.x.x.x ---Where x.x.x.x is the actual public ip of the source user from where you are initiating the traffic.
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable
Please initiate the traffic.
Then please disable the debugs witht the below commands
diagnose debug disable
diagnose debug reset
Regards
Nagaraju.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I try those command and i have this
id=65308 trace_id=1003 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"
id=65308 trace_id=1004 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, x.x.x.x:4500-> lan port:4500) tun_id=0.0.0.0 from WAN. "
id=65308 trace_id=1004 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, reply direction"
id=65308 trace_id=1005 func=print_pkt_detail line=5939 msg="vd-root:0 received a packet(proto=17, lan port:4500-> x.x.x.x:4500) tun_id=0.0.0.0 from local. "
id=65308 trace_id=1005 func=resolve_ip_tuple_fast line=6027 msg="Find an existing session, id-0006d816, original direction"