Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cruz2019
New Contributor

VIP with different external ip

Hello,
I hope you can support or guide me if what I intend to do is possible:
I have a web server with the external ip 187.210.xx.xxx and with the mapped ip 172.16.x.xx, as a VIP, I just hired another ISP, and I want to publish this same server with that external ip so that when my main ISP My server is not working, exit through my secondary ISP.

first of all, Thanks.
6 REPLIES 6
emnoc
Esteemed Contributor III

 

Q; Are you doing BGP ? 

 

Q; is the 187.210.x.x/xx advertised to both ISP?

 

if you answer yes to both then set the vip interface to ANY 

 

config firewall vip edit "VIP-ANY1" set mappedip "172.16.1.1" set extintf "any" next end

 

Then run a "diag debug flow" against the target and monitor.

 

Ken Felix

SCTG-MS

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Cruz2019
New Contributor

I do not use bgp, my web server is published only by my main ISP which is 187.210.xx / xx, my intention is to publish it in my second ISP but I do not know how to do it, this in order that when my main ISP fails my secondary ISP take your place automatically so as not to lose the published service,

emnoc
Esteemed Contributor III

That would be impossible if your 2nd ISP does not originate the prefix. You could publish 2x VIP one with  x.x.x.x -map-to-server  and y.y.y.y-map-to-server for the webservice services.

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Cruz2019
New Contributor

What are the options I have, to carry out this action, the purpose is to publish my server so that it is available in the 2 ISPs, or if it is possible to do so.
I have SDWAN for internal connections and I would like to have something similar for external connections, to have high availability
emnoc
Esteemed Contributor III

Will if that's the case, you need a 2 vips

 

 

config firewall vip     edit "ISP1"         set extip x.x.x.x         set extintf "wan1"         set mappedip "172.16.1.1"     next     edit "ISP2"         set extip y.y.y.y         set extintf "wan2"         set mappedip "172.16.1.1"     next end

 

Put both vips into a vipgrp and place that into a policy. Now here's the kicker you need to test it, with SDWAN it is possible the server might want to route out the wrong interface.

 

So I would test VIP1 diag sniffer packet wan1 "host x.x.x.x" and confirm two-way traffic. And lastly you would need 2 A records

 

eg

 

   www.example.com has address x.x.x.x    www.example.com has address y.y.y.y

 

 

if you have gslb/gtm you can probably add that to your mix and controlled it by one of these 2 but I'm assuming you do not.

 

But it's impossible to use one address for both ISP1/2 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Cruz2019
New Contributor

The current configuration and with which the VIP is working with my main ISP or WAN 1 is the following:
I have the following VIP configured:
Name: SRV-MyCompany
Interface: WAN1
External IP ddress / range: 187.210.xxx.xx
Mapped IP address / range: 172.16.1.xx

And the Policy
Name: VIP-Myserver
Incoming Interface: SDWAN (All my ISP)
Outgoing Interface: Local Network
Source: All
Destination: SRV-MyCompany

With this configuration it worked perfectly, both for internal and external connections, I already have another ISP added to my Forigate "WAN2", I want the server that I have published in "WAN1" to also publish in "WAN2" because every time my WAN1 goes down, all connections to my server are lost, this issue is somewhat complex for me because I do not fully master it.
I don't kno

w how to do these configurations, if I have to create another VIP, which IP's it should carry or if something additional is required.
It is worth mentioning that my main ISP gives me 8 public IP addresses, but the second one only gives me one.
Labels
Top Kudoed Authors