Hi, I have a small network where all my equipment has private IP addresses (10.x.x.x) and I am using a Fortigate 300C.
I have a special need where I need to use a public IP address (e.g. A.A.A.A) to talk to an equipment that is configured just to reply to that address. My server talks to that equipment by means of a NAT using IP Pool (with only that address A.A.A.A), and it works great. My server is also accessible with a VIP from the Internet and it works great. Problem is that if that particular public IP Address (A.A.A.A) tries to access my server from the Internet the Fortigate doenst seem to know how to handle it... The packets doesnt seem to reach the server and looking through the Fortigate sniffer on that port, I just see SYN, SYN/ACK, RST.
I have tried disabling the NAT, but the only thing that returns the ability of the A.A.A.A address to reach the server from the outside is to delete the IP Pool where it is defined. Just entering this IP Pool again (without any associated Policy) causes the same error.
I am trying to setup a kind of a proxy server that talks to this measuring equipment and is reachable transparently by the same public address, so its important to figure out a way to let A.A.A.A reach my new intermediary server.
[special equipment port 5] <- NAT IP POOL with A.A.A.A. - < [server port 7] <- VIP -< [wan port 9] --- [INTERNET]
I realize that this is unusual and a complex configuration, but after spending many hours, wanted to see if there are any ideas and if the Fortigate can handle this.
What exactly is the treatment of IP Pools by the Fortigate and why would it affect the VIP on another port?
Thanks!
Joe
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Joe,
Its confusing. Can you please elaborate with a network diagram attached.. ...Will love to help
Thanks
Rohit
Hello,
You mention that "looking through the Fortigate sniffer on that port, I just see SYN, SYN/ACK, RST.
If I understand correctly, the source IP address of the TCP SYN is a public IP address = A.A.A.A and the destination IP address is your internal server.
So the TCP SYN/ACK will have a destination IP address = A.A.A.A which is an IP pool address . The problem is that this session has not been source natted so the kernel would not try to dnat this packet and should simply try to route this TCP SYN/ACK . The issue is that by default ARP reply is enabled in IP pools, so it means that the this destination IP address is seen as "belonging" to the FGT. It means that the kernel would try to route the packet to the FGT itself. So the TCP RST sent from FGT to server
You can try to disable ARP reply in your IP pool, it may help as this IP address would no longer be seen as belonging to the FGT
Thanks
Thanks - I think that is the solution. This 300C is running an old version (4.0 MR3 patch 11), hence the feature does not seem to be available in this release.
I will schedule an upgrade to the equipment to the latest version in order to apply this new setting and update with the results. But I totally subscribe to your suggestion. At least in theory, this fits, and should fix it.
Many thanks!
Joe
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.