- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Server IP address could not be found for IPsec VPN Remote Access
Hi, I'm trying to remote access to local lan using forticlient. I'm able to connect to IPsec VPN and ping 192.168.1.1 but cannot ping my server ip address and access to local server. Is there any problem for my settings? My server ip address also one of the range in Local-LAN but why I cannot ping my server? Please help.
Regards,
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You may consider to collect debug flow and traffic sniffer while pinging unreachable server:
Debug flow:
diagnose debug flow filter daddr <server IP address>
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
Traffic sniffer:
diagnose sniffer packet any 'icmp and host <server IP address>' 4 0 a
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @abarushka ,
I have run the debug flow and traffic sniffer. What does it means?
Debug flow:
Traffic sniffer:
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
On firewall side everything looks good. I can see that firewall policy 7 is matched. ICMP packet is received (TONY-VPN) and sent out (interface lan). However firewall doesn't receive ICMP reply.
I would recommend to check whether ICMP is filtered (server OS firewall) on server side.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @abarushka ,
I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping my server name. If can ping server ip address that means the ICMP are not filtered on server side right?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the server IP part of the subnet 192.168.1.x and does it use .1 as the gateway (or as a next hop in a route to reach the VPN subnet)? Check also the firewall of the server if it has any specific rule that allows or block based on source IP. If NAT is not enabled on the policy, the requests will be sourced by the IP of the VPN client.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ebilcari ,
Yes the server IP is part of the subnet 192.168.1.x and 192.168.1.1 is the default gateway used to access the GUI of a Fortinet firewall. I think the firewall of server only allow local lan subnet to access, does it mean that I need to set all the firewall policy to enabled NAT?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From security perspective, it is not recommended because the source IP of the client will be hidden to the server but if that is the only way you can configure the policy to NAT the client requests with the IP of the FGT 192.168.1.1.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ebilcari ,
I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping the server name. As my LAN-to-SDWAN are originally set to enabled NAT, I can only modified others policy. But I found that if one of the policy NAT is disabled then the server ip not able to ping ady, is that correct?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order to ping by name, a DNS server should be able to resolve the name into the IP of the server. This is not related to network reachability or NAT-ing the traffic, most probably different network segments use their own DNS servers.
If the server firewall will accept connections only from the subnet 192.168.1.x and that can't be changed, than the only possibly way of communication is to source NAT the requests with the FGT IP.
If you have found a solution, please like and accept it to make it easily accessible for others.