Fortinet Community

penguruh · ‎05-23-2012

Hey Forum, maybe u can help me out? I would like to make a VIP port forwarding to an internal IP. As you can see in the networkplan, it should be mapped from 1.1.1.1:25 and 1.1.1.1:587 to 10.1.1.100:25. Is that even possible? If I follow the instructions from the Knowledge Base * i cant connect to 1.1.1.1:25. * http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12945&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=33052695&stateId=0%200%2033050827 VIP without port forwarding -> port 25 works VIP with port forwarding -> port 587 works, port 25 doesnt work anymore. thx patrick ps: sorry for my bad english!

ede_pfau · ‎05-23-2012

How did you configure the VIP? paste the text from the CLI (" conf fire vip" , " show" ). For 2 port forwardings you need 2 VIPs. Put them into a VIP group for convenience.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

penguruh · ‎05-28-2012

Hey, thx for your relay, sorry for my late relay, i was ill in bed the last days :-( 1. VIP edit " VIP1" set extip 1.1.1.1 set extintf " ext" set mappedip 10.1.1.100 next 2. VIP edit " VIP2" set extip 1.1.1.2 set extintf " ext" set portforward enable set mappedip 10.1.1.100 set extport 587 set mappedport 25 next is this right?

ede_pfau · ‎05-29-2012

Your first VIP is non-portforwarding and so catches ALL the traffic to 1.1.1.1. Whereas the second VIP is port-specific. Both will " work" in the incoming direction but the problem is with outgoing traffic coming from 10.1.1.100:25. Looking at the mapping the Fortigate will send out port 25 traffic through VIP2, regardless of whether this is the way the traffic came in. In short, change VIP1 to be more specific: map port 25 to port 25. As a side note, you don' t have to use 2 external IPs to service 2 ports. Both external IP addresses could be the same, the traffic is distributed via the combination of external IP, mapped IP and port.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

rwpatterson · ‎05-29-2012

As far as I know, you cannot have both in a setup [to a single server]. Either a non port forward to an internal server, or many port forwarded VIPs to that same server. One or the other. NOTE - changed the wording to make it less ambiguous.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

penguruh · ‎05-29-2012

Hey @ll, i do for every port a vip with a forwarding. 1.1.1.1:25 -> 10.1.1.100:25 = VIP:25 1.1.1.1:587 -> 10.1.1.100:25 = VIP:587 1.1.1.1:110 -> 10.1.1.100:110 = VIP:110 and so on ... (yep, it' s a mail-server:-) Thank you!

ede_pfau · ‎05-29-2012

" i do" = " i did" or " i will do" ? Did you have success with splitting it up?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

penguruh · ‎05-29-2012

" i did" and i had success with that solution.

rwpatterson · ‎05-29-2012

As a side note to this, make sure you DISABLE relaying through that box without authentication, otherwise you are going be on a blacklist (or 2) before long...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Fortinet Community

VIP Port Forwarding