Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jd653687
New Contributor III

VLAN external to LAN not allowed

Hi,

I have a Vlan configured which is only allowed to use http/https en dns to for internet. There is a webserver on the lan they need to contact and is also reachable from the outside. When they try to connect to this website they get the out-site address from the DNS and in the firewall we get a not allowed. I created a security policy, but no effect.

The web server is available with a VIP from outside to lan port 80 and 443 interface set to any.

Any idea how to solve this?

 

Lan is 10.0.0.0/24

Vlan 192.168.5.0/24

 try to goto www.mydomain.nl

on the lan is this 10.0.0.2

on the ouside this is 200.200.200.20 (example)

DNS on the vlan gets 200.200.200.20 and in the logging we see deny policy violation implicit deny

 

Fortigate 51E with 5.4.0 tonight I am update it to the latest IOS

 

 

7 REPLIES 7
MikePruett
Valued Contributor

Do you have a VLAN to internal policy to allow that traffic. It might be doing some hair-pinning and wanting the policy to allow it even though the outside policy is there.

Mike Pruett Fortinet GURU | Fortinet Training Videos
jd653687
New Contributor III

Hi Mike,

Thank you for the quick reply.

Yes there is a policy for VLAN to Lan (nat disabled)

How to hair-pin this?

 

Regards,

Jan

rwpatterson
Valued Contributor III

Try enabling NAT

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
MikePruett

You could try using a VIP for the external address that forwards to the internal address. I have had to do this before in environments setup the way yours is.

Mike Pruett Fortinet GURU | Fortinet Training Videos
jd653687
New Contributor III

Setting to NAT made no difference.

I was already using a VIP from external to lan.

Problem is that the vlan needs to goto the lan but is getting the external ip

 

jd653687
New Contributor III

Yes I can ping from vlan to lan.

The VLAN is using the fortigate DNS which is set to the providers DNS servers.

I already find that  this was the problem, but I do not know how to solve this.

I tried to create a DNS Database and pointed the VLAN to this server and created an A record for the internal server but I still got the external ip-address?

I cannot find how setup the DNS Database in the fortigate which I think is the solution.

 

 

jd653687
New Contributor III

I am now using the internal DNS servers and this solved the problem.

Thanks to all of you helping me out.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors