Hi, I'm trying to remote access to local lan using forticlient. I'm able to connect to IPsec VPN and ping 192.168.1.1 but cannot ping my server ip address and access to local server. Is there any problem for my settings? My server ip address also one of the range in Local-LAN but why I cannot ping my server? Please help.
Regards,
Hello,
You may consider to collect debug flow and traffic sniffer while pinging unreachable server:
Debug flow:
diagnose debug flow filter daddr <server IP address>
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
Traffic sniffer:
diagnose sniffer packet any 'icmp and host <server IP address>' 4 0 a
Hi @abarushka ,
I have run the debug flow and traffic sniffer. What does it means?
Debug flow:
Traffic sniffer:
Regards,
Hello,
On firewall side everything looks good. I can see that firewall policy 7 is matched. ICMP packet is received (TONY-VPN) and sent out (interface lan). However firewall doesn't receive ICMP reply.
I would recommend to check whether ICMP is filtered (server OS firewall) on server side.
Hi @abarushka ,
I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping my server name. If can ping server ip address that means the ICMP are not filtered on server side right?
Regards,
Is the server IP part of the subnet 192.168.1.x and does it use .1 as the gateway (or as a next hop in a route to reach the VPN subnet)? Check also the firewall of the server if it has any specific rule that allows or block based on source IP. If NAT is not enabled on the policy, the requests will be sourced by the IP of the VPN client.
Hi @ebilcari ,
Yes the server IP is part of the subnet 192.168.1.x and 192.168.1.1 is the default gateway used to access the GUI of a Fortinet firewall. I think the firewall of server only allow local lan subnet to access, does it mean that I need to set all the firewall policy to enabled NAT?
Regards,
From security perspective, it is not recommended because the source IP of the client will be hidden to the server but if that is the only way you can configure the policy to NAT the client requests with the IP of the FGT 192.168.1.1.
Hi @ebilcari ,
I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping the server name. As my LAN-to-SDWAN are originally set to enabled NAT, I can only modified others policy. But I found that if one of the policy NAT is disabled then the server ip not able to ping ady, is that correct?
Regards,
In order to ping by name, a DNS server should be able to resolve the name into the IP of the server. This is not related to network reachability or NAT-ing the traffic, most probably different network segments use their own DNS servers.
If the server firewall will accept connections only from the subnet 192.168.1.x and that can't be changed, than the only possibly way of communication is to source NAT the requests with the FGT IP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.