Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
philbud
New Contributor

Created on ‎10-18-2023 05:48 AM

VIP Hairpin access from LAN

Maybe someone can help me with this.

I’m trying to give access to VIP from internal LAN (VIP hairpin access) and I don’t know why it’s not working.

When I try to go on external IP, fortigate keeps blocking traffic in policy Implicit deny

 

Fortigate 81e on 7.2.5 fortios

WAN1 : x.x.x.x (WAN1 in SD-WAN Zone)

Computer: 10.10.70.69 (type VLAN: VLAN70 on physical port 1)

Server: 10.10.0.8 (Physical port 2)

 

philbud_0-1697632924857.png

 

 

philbud_1-1697632924859.png

 

 

 

 

VIP=

philbud_2-1697632924862.png

 

 

philbud_3-1697632924864.png

 

Labels:
1238
0 Kudos
4 REPLIES 4
hbac
Staff
Staff

Created on ‎10-18-2023 06:09 AM

Hi @philbud,

 

The VIP is correct. However, your policy is wrong. You need 2 firewall policies. One to allow VLAN70 to virtual-wan-link, another one to allow virtual-wan-link to port2 (only use VIP in this policy as destination). Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

 

Regards, 

1230
0 Kudos
philbud
New Contributor

Created on ‎10-18-2023 06:50 AM

Thanks for response...

Yes sorry I forgot to mention it but I do have a policy from virtual-wan-link to port2 already there but like i said it's not working. Do you see anything else?

 

philbud_3-1697636976223.png

 

 

 

 

 

 

1217
0 Kudos
hbac
Staff
Staff
In response to philbud

Created on ‎10-18-2023 07:03 AM

@philbud,

 

Do you have a policy to allow VLAN70 to virtual-wan-link? If yes, make sure the destination is set to all and NAT is enabled. If it still not working, you can run a debug flow by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards,

 

1213
0 Kudos
philbud
New Contributor
In response to hbac

Created on ‎10-18-2023 08:19 AM

@hbac 

yes I do have a policy to allow VLAN70 to virtual-wan-link (destination to all and NAT enabled)

Here's the debug flow....don't know why it gets denied by policy 0

 

Debug

philbud_1-1697642327268.png

Thanks again for your help

 

1188
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.