Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
build ipppol of the vip public address and call that in a policy with telnet
config firewall policy
edit 0
set srcint <xxxx>
set dstint <yyyy>
set action accept
set srcaddr <insert inside host obj>
set dstaddr <insetr dst host obj>
set nat enable
set natpool enable /* check the command */
set poolname <insert the earlier firewall ippool name >
set schedule always
set service telnet ping
end
PCNSE
NSE
StrongSwan
I tried but it still doesn't work... this is my configuration:
config firewall policy edit 23 set srcintf "wan1" set dstintf "internal" set srcaddr "all" set dstaddr "Badge Reader VIP" set action accept set schedule "always" set service "PING" "tcp_9999" "TELNET" set logtraffic all set nat enable set fixedport enable set ippool enable set poolname "VIP public" next end
Chances are it is simply a misconstructed custom service. Source port range is 1024(or 0)-65535 and the destination port range would be 9999-9999. I'll bet you have 9999 in the source as well. That would definitely make the WAN access fail. I can't say anything toward the Fortigate's access to the device. Also in the policy you posted above, disable NAT and remove the IPPool settings (unset them). IP Pools are source NAT settings. You don't wish to change the incoming IP addresses to that of your Fortigate, do you? NAT should only need to be enabled on outward (WAN) facing policies to mask private IP addresses from reaching the Internet. ISPs won't let them out anyway, but that's another story...
You could probably toss the 'fixedport enable' as well.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
That policy look very bad, 1st are you trying to ACCESS the VIP from wan1 or is the mapped address behind the vip trying to access something over the internet and port 9999?
Your not clear in what your doing but you need to clarify is this internet <outward> or <inward> from the internet to the mapped inside host?
PCNSE
NSE
StrongSwan
Ok perhaps I've misunderstood your suggestion and the policies were messed up.
This is my first version of the VIP/Policy, before opening this thread:
config firewall vip edit "Badge Reader VIP" set extip x.x.x.x set extintf "any" set portforward enable set mappedip "192.168.168.210" set extport 9999 set mappedport 9999 next end config firewall policy edit 23 set name "Telnet 9999" set srcintf "wan1" set dstintf "internal" set srcaddr "all" set dstaddr "Badge Reader VIP" set action accept set schedule "always" set service "ALL" set logtraffic all next end
I have configured several services on the Fortigate to be accessible from the internet and all of them have an almost identical configuration. I'm having problems just with this badge reader. Maybe it's this custom device that is, in someway, corrupted?
I have never set up a Virtual IP with the source interface of 'any'. I feel it's poor programming, especially if you know that all of your connections are coming from a single interface. Did you try setting that to 'wan1' instead?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
You're right, I was supposed to set wan1 as source interface, I just tried but unfortunately nothing changed, i still cannot telnet to the device from public ip nor from the firewall.
Tomorrow i'll try with connecting the other end of the cable straight into one of the FGT port and let's see if this solves.
FWIW
Any in the vip is okay, now is the mapped ip address correct? Is the inside interface correct?
Did you run diag debug flow cmds to ensure it 1st hitting your outside vip and being DNAT'd ?
PCNSE
NSE
StrongSwan
Okay the diag trace shows your denied. It's a strange trace btw. Let's go over your setup since your presented mainly items and maybe confusion in all of it ;)
Can you ping the device from the fortigate ? but telnet fails ? Correct? nothing from the internet upstream blocks 9999
Your VIP is facing the internet and the internal host is { 192.168.168.210 }
config firewall address
edit host_192.168.168.210
set subnet 192.168.168.210/32
end
( example )
config firewall vip edit "VIP9999" set uuid cc4a02ce-2f25-51e5-06f9-f0b57d8d1eca set extip x.x.x.x ( address that presented to the customer ) set extintf "WAN" set mappedip 192.168.168.210 set portforward enable set protocol tcp set extport 9999 set mapped port 9999end
config firewall service custom
edit TCP9999
set tcp-portrange 9999
end
config firewall policy
edit 0
set srcintf wan1
set dstintf lan1
set srcaddr all
set dstaddr VIP9999
set action accept
set schedule always
set service TCP9999 PING
end
!!!!! DO NOT ENABLE NAT ON THAT POLICY !!!!!!
Does your firewall policy look any thing like that ? and has NO nat enable ?
if not can you make it so and retest
PCNSE
NSE
StrongSwan
My configuration looks almost identical, except that i don't have setup custom address nor service:
config firewall vip
edit "badge reader"
set extip x.x.x.x
set extintf "wan1"
set portforward enable
set mappedip "192.168.168.210"
set extport 9999
set mappedport 9999
next
end
config firewall policy
edit 23
set name "Telnet 9999"
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "badge reader"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Nothing changed, i'm still not able to telnet into the device from internet. Just to recap: my laptop (192.168.168.32) is able to ping and telnet to the device. The Fortigate (192.168.168.1) is not able to ping nor telnet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.