Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Walenteano
New Contributor

Traffic via tunnel

I have a customer that configured a tunneling from a particular external public IP address to access some server applications through the fortigate firewall on their LAN. From what I was told, that particular public IP can reach the fortigate from the other end but they can't ping that IP from the customer's end. Don't know what went wrong. Kindly assist.
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

hi,

 

I'm afraid the lack of configuration data leaves a lot to speculate here.

 

It sounds like there is a port forwarding (destination NAT) policy from WAN to LAN in effect which allows to access an internal server via the FGT's external public address. In this policy a VIP (virtual IP) is used which translates the public IP to the private internal IP of the server.

So far, no surprises.

There are 2 kinds of VIPs: simple ones and port-forwarding ones. The simple VIP just exchanges the destination address, that is, all traffic to <public IP> will be translated to the new destination <private IP>. Access to the server is only limited by the service(s) you allow in the policy.

 

The port-forwarding VIP translates the destination address AND single destination ports. This is more common and (in a way) a bit safer. Each service (ftp, smtp etc.) uses specific, well defined (destination) ports so the internal server is only reachable via the specific service.

That, on the other hand, prohibits PING to be forwarded, as the ICMP protocol is not based on ports. Only a non-port-forwarding VIP will allow you to ping the internal server.

 

I hope this explains your problem. If not, please supply more info like, what the problem is, which policy is involved and how the VIP is configured. We'll see how we can help then.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

This is more common and (in a way) a bit safer

 

They both simple and port-forward vip needs a security policy, neither is more safer than the other. The port-forward is used mainly when your pre-NAT port needs to be changed to a port that is NOT the destination

 

 

example

 

   inbound port 443, server port 788

 

I personally hate port-forward vip unless the above example is required or using a sinle public address to conserve space to 2 or more back in. server

 

example

 

public web @ 192.0.2.1 :80 ----->192.168.1.110:80

pubic email @ 192.0.2.1:25 ----> 192.168.1.77:25

public sftp-server @ 192.0.2.1:22 ----> 192.168.1.26:22

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau

Agree, VIPs have nothing to do with security so I should be even more cautious with my remarks. Good you made that absolutely clear.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors