Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
natman
New Contributor

Created on ‎03-29-2017 01:39 AM

VIP config issue

hey all, my first post here    so i have a Fortigate 300c and an issue with VIP, or something else that i can't get my head around,   explanation of the config: ip addresses are for reference only.   3x ipsec tunnels 1,2 & 3 multiple hosts on the vlan connected behind the fortigate i have 2 hosts that both need to appear as the same ip address to the remote host network, and then send receive traffic based on port range difference.   the hosts need to establish a persistent tcp connection to the remote host(s) i have setup 2x vip, with port forwarding enabled with corresponding ports allocated eg: 

VIP1 Host A NAT - this is working excellent, we have tcp connection established and data flow through iboth public & private if external ip address/range: 10.1.1.1 - 10.1.1.1 mapped ip address/range  192.168.1.1 - 192.168.1.1 (private if) tcp port range forwarding enabled as required 11120 - 11029 Source Address filter enabled 120.1.1.2 120.1.3.3 Host A sends receives traffic via IPsec 1&2   VIP2 Host B NAT - i have data flow via public if, not private if which needs to connect tcp to remote host external ip address/range: 10.1.1.1 - 10.1.1.1 mapped ip address/range  192.168.2.2 - 192.168.2.2 (private if) tcp port range forwarding enabled as required 31120 - 31029 Source Address filter enabled 130.5.5.5 Host B to send traffic via IPsec 3   Host B will not establish tcp connection, nc -vn etc, it looks like it should, IP Sec tunnel was working fine with another host prior to adding the extra vip so we know there is no issue there  

Worth noting that i have Host B's web services working via a public interface, just cant get private interface to establish tcp connection, traceroute, icmp are not options for testing, remote host drops everything we send, which is normal for the remote host due to security policies at their end.

i have gone over and over the rest of the config, and it looks like this should just work. maybe i'm missing something in regard to configuration of the second VIP, or its the addition of HostB as a fresh server   your input greatly appreciated....

trouble shooting steps, walk throughs most welcome

2496
0 Kudos
0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.