Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AMAK
New Contributor III

Virtual IP address to connecting from internal

I have configured Virtual IP address from my website with port forwarding"

Interface: WAN1

Static NAT type

Local IP: 192.168.1.54

Public IP: XX.XXX.XXX.XX

Port Forwarding External 80 Map to IPv4 Port 84

The Policy for this Virtual IP:-

Incoming Interface: WAN1

Outgoing Interface: internal

Source: WAN2_int (Subnet 0.0.0.0/0 Interface:wan2)

Destiantion: Virtual IP (above)

Service: All_TCP

NAT: enabled

IP Pool configuration: Use Outgoing Interface Address

 

I cannot resolve the domain name to browse the website, nor can I browse the website with a Public IP address. All my hosting services for website and exchange emails didn't work.

 

Am I missing some routing policies or some Internat to WAN policies? 

Totally lost

 

6 REPLIES 6
asengar
Staff
Staff

Hi Amak

 

Can you try giving the service as ALL in the policy, and also clarify the line in the policy you defined  [Source: WAN2_int (Subnet 0.0.0.0/0 Interface:wan2)].

Also verify are you able to access internally on port 84 or not

 

Thanks

@bhishek
AMAK
New Contributor III

WAN2_int is an Address to use the WAN2 interface only.

config firewall address
edit "WAN2_int"
set associated-interface "wan2"
next
end

 

aionescu

Hi @AMAK 

To have better visibility on how the traffic is handled  can you, please, perform a debug of the traffic flow?

 

diagnose debug reset

diagnose debug flow filter addr x.x.x.x <----- where x.x.x.x is the source of the traffic.

diagnose debug flow trace start 100

diagnose debug enable

 

Is routing properly configured, are you able to reach 192.168.1.54 from the FortiGate?

AMAK
New Contributor III

 

Firewall60F # diag debug flow trace  start 50
Firewall60F # diag debug  enable
Firewall60F # id=65308 trace_id=1 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=6, 192.168.1.25:52645->XX.XXX.XXX.XX:80) tun_id=0.0.0.0 from internal. flag [S], seq 368941642, ack 0, win 64240"
id=65308 trace_id=1 func=init_ip_session_common line=6049 msg="allocate a new session-000301a2, tun_id=0.0.0.0"
id=65308 trace_id=1 func=get_new_addr line=1228 msg="find DNAT: IP-192.168.1.54, port-84"
id=65308 trace_id=1 func=fw_pre_route_handler line=176 msg="VIP-192.168.1.54:84, outdev-unknown"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3498 msg="DNAT XX.XXX.XXX.XX:80->192.168.1.54:84"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.1.54 via internal"
id=65308 trace_id=1 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=79, len=2"
id=65308 trace_id=1 func=fw_forward_handler line=757 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=2 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=6, 192.168.1.25:52646->XX.XXX.XXX.XX:80) tun_id
=0.0.0.0 from internal. flag [S], seq 3094431630, ack 0, win 64240"

 

 

aionescu

Hi, the output shows that the traffic is dropped because there is no policy to allow it.

As per your first comment the traffic is expected to come from WAN but in the provided output it comes from "internal". Please check if the policy is correctly configured.

TerenceBC
New Contributor

Any solution to this?

Labels
Top Kudoed Authors