Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
philbud
New Contributor

VIP Hairpin access from LAN

Maybe someone can help me with this.

I’m trying to give access to VIP from internal LAN (VIP hairpin access) and I don’t know why it’s not working.

When I try to go on external IP, fortigate keeps blocking traffic in policy Implicit deny

 

Fortigate 81e on 7.2.5 fortios

WAN1 : x.x.x.x (WAN1 in SD-WAN Zone)

Computer: 10.10.70.69 (type VLAN: VLAN70 on physical port 1)

Server: 10.10.0.8 (Physical port 2)

 

philbud_0-1697632924857.png

 

 

philbud_1-1697632924859.png

 

 

 

 

VIP=

philbud_2-1697632924862.png

 

 

philbud_3-1697632924864.png

 

4 REPLIES 4
hbac
Staff
Staff

Hi @philbud,

 

The VIP is correct. However, your policy is wrong. You need 2 firewall policies. One to allow VLAN70 to virtual-wan-link, another one to allow virtual-wan-link to port2 (only use VIP in this policy as destination). Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

 

Regards, 

philbud
New Contributor

Thanks for response...

Yes sorry I forgot to mention it but I do have a policy from virtual-wan-link to port2 already there but like i said it's not working. Do you see anything else?

 

philbud_3-1697636976223.png

 

 

 

 

 

 

hbac

@philbud,

 

Do you have a policy to allow VLAN70 to virtual-wan-link? If yes, make sure the destination is set to all and NAT is enabled. If it still not working, you can run a debug flow by following this article: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards,

 

philbud
New Contributor

@hbac 

yes I do have a policy to allow VLAN70 to virtual-wan-link (destination to all and NAT enabled)

Here's the debug flow....don't know why it gets denied by policy 0

 

Debug

philbud_1-1697642327268.png

Thanks again for your help

 

Top Kudoed Authors