VIP Issue

BWiebe · ‎10-21-2018

Hey all,

I've setup a couple of VIPs with the same external IP to different internal IPs/networks and different ports on a client's firewall running 6.0.3 (previously 6.0.2).

One of the VIPs only listens on TCP 7108 and forwards to a server on the Internal LAN.

The other VIP listens on 22 and is supposed to forward to a server on the DMZ LAN (ftp over ssh).

The issue is that traffic to the second VIP never seems to get to the firewall. I sniff the IP and port 22, or I sniff the DMZ IP and port 22 and see nothing. The first VIP to the internal LAN works perfectly.

If I set the second VIP to use port 2222 (for example) and forward to 22, this works fine and responds. The issue is that I need the 22 to 22 to work.

The client has limited IPs to work with or I'd consider using a different IP entirely.

This, to me, appears to be a bug with forwarding SSH. I confirmed I have it disabled on all interfaces for management, and don't see a specific Local-IN Policy using it or other policy using it.

If I enable SSH on the WAN interface, it works - so I don't believe it's the ISP blocking the traffic outside the firewall.

Thoughts?

Just an odd issue....never had issues with VIPs before.

Thanks!

rwpatterson · ‎10-22-2018

Does TELNET work from the inside?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

rwpatterson · ‎10-22-2018

Everything looks good from the 10,000 ft view. Let's get an answer on the local and work from there. Please, get the setups online here for the virtual IP setup and the policy.

From the command line:

FGT# show firewall policy <policy_number>

FGT# show firewall vip "<VIP_name>"

if using a custom policy, add:

FGT# show firewall service custom "<custom_service_name>"

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

BWiebe · ‎10-21-2018

On further testing, it actually IS the ISP blocking port 22.

I missed it in initial test.

ede_pfau · ‎10-21-2018

never had issues with VIPs before.

- 100 %!

except maybe for specialities like having a VIP changing an URL to an IP address and thus causing a cert error...even that is solvable.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Bogens · ‎10-22-2018

Hi Guys,

I'm newbie with this forum and I'm looking for an answer on how to enable telnet to able to access outside. SSH is working fine but telnet with port 4001 assign is not working any idea guys? please help.

ede_pfau · ‎10-22-2018

First off, please don't hijack threads. Just open a new one.

Second, do you allow ALL services in the outbound policy, or have you created a custom service? If so, how does it look like?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Bogens · ‎10-22-2018

Hi Ede, Thanks btw and sorry if I offend you by replying this treads its just that its the same issue reported since its under the VIP configuration. Anyway services are ALL but i don't i don't know why its not working. I will create another post for this

Bogens · ‎10-22-2018

Hi Guys,

Need some help, I create port forwarding an its working well, except for Telnet port:4001

SSH is working fine but telnet is not working any idea?

Bogens · ‎10-22-2018

Please help.. attach screenshot on the configuration made.

note: SSH and other are working except for TELNET.

rwpatterson · ‎10-22-2018

Does TELNET work from the inside?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bogens · ‎10-22-2018

Hi Patterson, - I'm out in office now, but just in-case I can't telnet it locally is there anything that need to change from fortinet setup. Since that server has a telnet before using other device and now when we upgrade it to Fortinet Telnet is not working on VIP.