Gents,
Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below.
3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
----config---
config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25
-----------------
config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end
edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next
Not contributing to fix this problem but you probably didn't have to deal with this problem if you used the tunnel interface to set IP and VIP instead of using loopback interface. With that, you don't have to have two sets of policies but just one set between the tunnel interface and the LAN interface.
Toshi
Created on 02-07-2024 08:58 PM Edited on 02-07-2024 09:03 PM
Got you bro, it's a customers demand for security reason, there nothing you can do about it. Anyhow, thanks everyone.
Hi @hbuenafe81
I have exactly the same problem, I need to use a VIP over a loopback interface for traffic coming from an s2s VPN. I've tried everything but I can't get it to do the NAT. Did you solve this problem?
Ken
Created on 06-17-2024 10:05 PM Edited on 06-18-2024 03:49 AM
Yes, I solve it, could you share trace and policy created for us to check. Kindly try also to enter below command to the VIP.
set portforward enable
Hi @hbuenafe81
Thanks for your response.
I have two policies, the first one from the s2s VPN towards the loopback (permit any to any), and the second policy from the loopback towards the LAN interface (permit any to VIP). I do not have the screenshots of the policies since it is a client's Fortigate and I did the tests during a maintenance window, after all I rolled back my changes.
The ping tests from the VPN to the IP of my loopback respond correctly, but when I generate traffic to the VIP it does not match with my policies and the traffic matches the implicit deny policy
In my VIPs I have the "set portforward enable" command enabled. What other changes did you make to make NAT work correctly for you? I must have a plan for my next maintenance window with the client.
hi @ken24, there might be some Policy or on VIP that matches the current setup you created, that why it goes to deny policy. What I did is that double check all VIP and Policy and make sure it doesn't overlap other policies. It took me awhile to notice but I'm sure we experience the same.
the above from ken24 sounds correct to me. But if there is no snat on the second policy your server will have to have static route to your vpn subnet/source ips with the FGT as gateway or it must have the FGT as default gw. Otherwise in this case your ping will reach the server but the replay will not reach back to you.
Secondly your traffic comes still from vpn and you have a policy from loopback to lan. That certainly will not match traffic coming from your vpn.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.