Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hbuenafe81
New Contributor III

VIPs on loopback with s2s communication

Gents,

 

Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below. 

 

3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913

 

----config---

config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25

-----------------

config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end

edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next

 

 

TBogs
TBogs
22 REPLIES 22
Toshi_Esumi
SuperUser
SuperUser

Not contributing to fix this problem but you probably didn't have to deal with this problem if you used the tunnel interface to set IP and VIP instead of using loopback interface. With that, you don't have to have two sets of policies but just one set between the tunnel interface and the LAN interface.

Toshi

hbuenafe81

Got you bro, it's a customers demand for security reason, there nothing you can do about it. Anyhow, thanks everyone.

TBogs
TBogs
ken24
Visitor

Hi @hbuenafe81

I have exactly the same problem, I need to use a VIP over a loopback interface for traffic coming from an s2s VPN. I've tried everything but I can't get it to do the NAT. Did you solve this problem?

 

Ken

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors