How can I reach a VIP from the internal interface?
I can ping Firewall public IP but not a VIP...
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What does your policy to the VIP look like?
The only way to PING a VIP is if port forwarding is not being used. This is by design. You cannot port forward ICMP traffic, so PINGs will be dropped. You need to dedicate an entire IP to PING that internal VIP device.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hi,
port forwarding is not used.
the VIP is:
edit "server"
set extip 89.xx.xx.xx
set extintf "wan1"
set mappedip 192.168.1.10
next
192.168.1.10 is on internal lan
What model device?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
70D
I had a similar issue back on a FGT60AD back in the day. The way I believe I got it to work was to NAT the policy to the VIP. The smaller model switches behave differently than the ones with just 'Portx'*. Give that a shot. If I can find the old config (I save everything), I'll give it the once over to see if there was anything else involved.
*: At the time. The FGT FW version was 3.x. Much has changed in between then and now. This was also from personal experience. Your mileage my vary.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Hi
May be below KB is what you need
How internal users can access internal resources via an external VIP (public IP address):-
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33976
How to access natted server internally with Public IP address:-
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36657
Hope this helps
@scheehan_FTNT: in KB article 33976, the IP address of port2 is wrong (it's the same as of port3). Luckily, this doesn't invalidate this solution.
@OP
The main points with this are:
- the VIP needs to be configured for the "any" device - usually you would specify the 'external' device here
- you need a policy from 'internal' to 'internal' if the server is located in the same LAN. Looks strange but is valid and working.
Even if the second TN is marked "FortiOS v5" I'd go with the first recipe and avoid Policy Routing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.