hey all, my first post here so i have a Fortigate 300c and an issue with VIP, or something else that i can't get my head around, explanation of the config: ip addresses are for reference only. 3x ipsec tunnels 1,2 & 3 multiple hosts on the vlan connected behind the fortigate i have 2 hosts that both need to appear as the same ip address to the remote host network, and then send receive traffic based on port range difference. the hosts need to establish a persistent tcp connection to the remote host(s) i have setup 2x vip, with port forwarding enabled with corresponding ports allocated eg:
VIP1 Host A NAT - this is working excellent, we have tcp connection established and data flow through iboth public & private if external ip address/range: 10.1.1.1 - 10.1.1.1 mapped ip address/range 192.168.1.1 - 192.168.1.1 (private if) tcp port range forwarding enabled as required 11120 - 11029 Source Address filter enabled 120.1.1.2 120.1.3.3 Host A sends receives traffic via IPsec 1&2 VIP2 Host B NAT - i have data flow via public if, not private if which needs to connect tcp to remote host external ip address/range: 10.1.1.1 - 10.1.1.1 mapped ip address/range 192.168.2.2 - 192.168.2.2 (private if) tcp port range forwarding enabled as required 31120 - 31029 Source Address filter enabled 130.5.5.5 Host B to send traffic via IPsec 3 Host B will not establish tcp connection, nc -vn etc, it looks like it should, IP Sec tunnel was working fine with another host prior to adding the extra vip so we know there is no issue there
Worth noting that i have Host B's web services working via a public interface, just cant get private interface to establish tcp connection, traceroute, icmp are not options for testing, remote host drops everything we send, which is normal for the remote host due to security policies at their end.
i have gone over and over the rest of the config, and it looks like this should just work. maybe i'm missing something in regard to configuration of the second VIP, or its the addition of HostB as a fresh server your input greatly appreciated....
trouble shooting steps, walk throughs most welcome
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1070 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.