Virtual IP not working

Jaime_D · ‎04-26-2008

Hi, I' ve have the following configuration in my F60B: Interface WAN1: 82.144.15.178 / 255.255.255.248 Interface INTERNAL: 192.168.1.250 / 255.255.255.0 I have created two Virtual IP: one for a mail and web server (wan1/82.144.15.178 ->192.168.1.248) and other to a second web server (wan1/82.144.15.180->192.168.1.8). There' s a particular fact: the second server is a virtualized one, that is hosted in the first one, sharing the same NIC -bridged mode-. Well, the Fortigate F60B is going to replace a checkpoint safe@office 500. Yesterday I tried to do a " hot" replace (the two boxes were running, the " same" configuration... replace connections...). But I had to get back to the safe@office becouse the virtualizaded web server (192.168.1.8) couldn' t be reached from internet. The other web and mail server were running fine. Web server runs xoops, moodle, and phplist. I wonder if the could be related to the xoops / moodle way to serve pages: they redirect to the url, and perhaps the firewall blocks connections from internal to the external IP... So I hace disconnected the F60B waiting for a solution to my problem... Any suggestion? Thanks in advance, Jaime D

abelio · ‎04-26-2008

Which is virtualized server' s default gateway? 192.168.1.250 or another thing? If it' s 192.168.1.250, try sniffing one session to see what' s happening: If you still do not use those tools, use these articles as guidelines: http://kc.forticare.com/default.asp?id=1655 http://kc.forticare.com/default.asp?id=1186

regards

/ Abel

Jaime_D · ‎04-26-2008

Hi abel, Virtualized server' s default gateway is 192.168.1.250. Next monday I' ll post results of one session sniffed. Thanks, Jaime D

Jaime_D · ‎04-28-2008

Hi, I' m in touch with the technical support. Apparently they haven' t changed anything but now it can be reached both servers from internet. But I had to bring the cherckpoint router back because my windows server 2003 cannot connect to the domain (several netlogon errors) 5719, 5783... It seems that when fortigate is connected, the Virtual IP configuration acts isolating the server from the LAN. Even when I' ve configured a internal to internal policy from all to all computers, any port, any time... Too strange, Jaime D

Report Inappropriate Content · ‎04-29-2008

Hi Jaime, is the domain controller on the same subnet as the Windows server? If so the traffic would never get to the firewall, i.e. the firewall would not be blocking it. This seems to be a little more complex than it appeared initially. Can you post the output of " ipconfig /all" from your servers and a " show system interface" from the Fortinet command line. -S

rwpatterson · ‎04-30-2008

If you need to share UNC type drive shares and things of the Microsoft sort, from the CLI you need to add the following command to the interfaces involved (as well as the permissions in the policies):

config system interface
      edit " internal" 
         set vdom " root" 
         set ip xxx.xxx.xx.xxx 255.255.0.0
         set allowaccess ...
         set netbios-forward enable
         set type physical
     next
     edit " dmz" 
         set vdom " root" 
         set ip xxx.xxx.xx.xxx 255.255.0.0
         set allowaccess ...
         set netbios-forward enable
         set type physical
     next
 end

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Jaime_D · ‎05-02-2008

Here you have: config system interface edit " wan1" set vdom " root" set ip 82.144.15.181 255.255.255.248 set allowaccess ping https ssh http set type physical next edit " modem" next edit " ssl.root" set vdom " root" set type tunnel next edit " wan2" set vdom " root" set ip 10.115.12.4 255.255.255.0 set allowaccess ping https set status down set type physical next edit " dmz" set vdom " root" set ip 172.24.1.5 255.255.255.0 set status down set status down set type physical next edit " internal" set vdom " root" set ip 192.168.1.250 255.255.255.0 set allowaccess ping https http set netbios-forward enable set type physical next end And ipconfig /all for my WS2003 C:\Documents and Settings\Administrador.RETANET.000>ipc ConfiguraciÃ³n IP de Windows Nombre del host . . . . . . . : retamar0 Sufijo DNS principal . . . . : RETANET.RETANET Tipo de nodo. . . . . . . . . : hÃbrido Enrutamiento habilitado . . . : No Proxy WINS habilitado . . . . : No Lista de bÃºsqueda sufijo DNS : RETANET.RETANET Adaptador Ethernet VMware Network Adapter VMnet8: Sufijo conexiÃ³n especÃfica DNS: DescripciÃ³n . . . . . . . . . : VMware Virtual Ether DirecciÃ³n fÃsica. . . . . . . : 00-50-56-C0-00-08 DHCP habilitado . . . . . . . : No DirecciÃ³n IP. . . . . . . . . : 192.168.112.1 MÃ¡scara de subred . . . . . . : 255.255.255.0 Puerta de enlace predet.. . . : Adaptador Ethernet VMware Network Adapter VMnet1: Sufijo conexiÃ³n especÃfica DNS: DescripciÃ³n . . . . . . . . . : VMware Virtual Ether DirecciÃ³n fÃsica. . . . . . . : 00-50-56-C0-00-01 DHCP habilitado . . . . . . . : No DirecciÃ³n IP. . . . . . . . . : 192.168.183.1 MÃ¡scara de subred . . . . . . : 255.255.255.0 Puerta de enlace predet.. . . : Adaptador Ethernet ConexiÃ³n de Ã¡rea local 2: Sufijo conexiÃ³n especÃfica DNS: DescripciÃ³n . . . . . . . . . : Broadcom NetXtreme G DirecciÃ³n fÃsica. . . . . . . : 00-18-8B-E6-DB-6A DHCP habilitado . . . . . . . : No DirecciÃ³n IP. . . . . . . . . : 192.168.1.248 MÃ¡scara de subred . . . . . . : 255.255.255.0 Puerta de enlace predet.. . . : 192.168.1.250 Servidores DNS. . . . . . . . : 192.168.1.2 Servidor WINS principal . . . : 192.168.1.2 The fact is that when I connect the F60B I can reach from internet the two virtual IP I' ve defined above. But the WS2003 that has a mail server running inside is not able to send mail, to browse any web page, etc. this could explain that " also" is not able to connect to the PDC (that is in the same subnet). From internet I can reach these server with POP and SMTP. But the server can not initialize any SMTP session to the internet, so it can not send any mail. Any suggestion? Thanks Jaime D

rwpatterson · ‎05-03-2008

Check the OUTGOING policy. Make sure NAT is enabled.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

g3rman · ‎05-08-2008

Hi Jayme, as rw mentions, please check to make sure you have a policy which states: internal -> wan1 -> service: any -> action: permit -> NAT: enabled Also, what you are saying is that your PDC and your Win2k3 server are both on the 192.168.1.x subnet and both have a netmask of 255.255.255.0. If that is the case then there is no way that the firewall would be blocking traffic between the two since they would not be communicating with each other through the firewall. Just to be clear, can you also attach an ipconfig from the server that is trying to communicate with retamar0? When you install the Fortigate, can you still ping between your PDC and your Win2k3 server?

A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com

Jaime_D · ‎05-12-2008

Hi all, Thank you for your help. News from today: I' ve reset to factory default my f60. Starting again! I followed these steps: - Internal interface/ WAN1 interface / Gateway -Policy: all (internal) to (WAN1) all ports any time without protection profile (NAT checked) And now, with only one policy we could figure that we would reach internet from my WS2003... not at all. All the LAN could but this server... ???? imposible. I turn off VMWARE server but... nothing: no browsing, ping, etc. Then I reviewed network configuration and I saw that a program called " Intel Pro Network utility or similar" was running but my network card is Broadcom NetXtreme... This intel software is part of the " old" server (it was migrated with Acronis true image server with universal restore from one machine to a new one). Uninstall " intrel Pro Network" , reboot.... and.... here you have!!! the server can now reach internet. Strange thing: the malfunction only happened with the Fortigate F60; when replaced with the safe@office it worked fine. Now I have to configure Virtual IP, but it seems to work. The only thing that still not working is smtp mail delivering to the internet. I create a policy from internal to WAN1; source address: My server; destination port SMTP; NAT (IP POOL: external IP)... but from now i get this error on the mail server: Mon 2008-05-12 17:15:27: Session 114; child 1 Mon 2008-05-12 17:14:45: Parsing message <c:\mdaemon\remoteq\pd35000187571.msg> Mon 2008-05-12 17:14:45: * From: jdominguez@retamail.com Mon 2008-05-12 17:14:45: * To: jaime.dominguez.barbero@gmail.com Mon 2008-05-12 17:14:45: * Subject: pepe Mon 2008-05-12 17:14:45: * Message-ID: <000d01c8b442$a31ff180$0101a8c0@web> Mon 2008-05-12 17:14:45: Intentando SMTP conexiÃ³n con [gmail.com] Mon 2008-05-12 17:14:45: Resolviendo registros MX para [gmail.com] (Servidor DNS: 192.168.1.2)... Mon 2008-05-12 17:14:45: * P=005 S=002 D=gmail.com TTL=(10) MX=[gmail-smtp-in.l.google.com] {209.85.135.27} Mon 2008-05-12 17:14:45: * P=005 S=005 D=gmail.com TTL=(10) MX=[gmail-smtp-in.l.google.com] {209.85.135.114} multi-homed Mon 2008-05-12 17:14:45: * P=010 S=003 D=gmail.com TTL=(10) MX=[alt1.gmail-smtp-in.l.google.com] {74.125.47.114} Mon 2008-05-12 17:14:45: * P=010 S=004 D=gmail.com TTL=(10) MX=[alt2.gmail-smtp-in.l.google.com] {64.233.171.27} Mon 2008-05-12 17:14:45: * P=010 S=006 D=gmail.com TTL=(10) MX=[alt1.gmail-smtp-in.l.google.com] {74.125.47.27} multi-homed Mon 2008-05-12 17:14:45: * P=050 S=000 D=gmail.com TTL=(10) MX=[gsmtp147.google.com] {209.185.147.27} Mon 2008-05-12 17:14:45: * P=050 S=001 D=gmail.com TTL=(10) MX=[gsmtp183.google.com] {64.233.183.27} Mon 2008-05-12 17:14:45: Intentando SMTP conexiÃ³n con [209.85.135.27:25] Mon 2008-05-12 17:14:45: * 209.85.135.27 in connection failure cache for up to 5 minutes due to previous connection failure(s) Mon 2008-05-12 17:14:45: Intentando SMTP conexiÃ³n con [209.85.135.114:25] Mon 2008-05-12 17:14:45: Esperando la conexiÃ³n del socket... Mon 2008-05-12 17:15:06: * Winsock Error 10060 Se ha agotado el tiempo de espera de la conexiÃ³n. Mon 2008-05-12 17:15:06: * 209.85.135.114 added to connection failure cache for 5 minutes Mon 2008-05-12 17:15:06: Intentando SMTP conexiÃ³n con [74.125.47.114:25] Mon 2008-05-12 17:15:06: * 74.125.47.114 in connection failure cache for up to 5 minutes due to previous connection failure(s) Mon 2008-05-12 17:15:06: Intentando SMTP conexiÃ³n con [64.233.171.27:25] Mon 2008-05-12 17:15:06: * 64.233.171.27 in connection failure cache for up to 5 minutes due to previous connection failure(s) Mon 2008-05-12 17:15:06: Intentando SMTP conexiÃ³n con [74.125.47.27:25] Mon 2008-05-12 17:15:06: Esperando la conexiÃ³n del socket... Mon 2008-05-12 17:15:27: * Winsock Error 10060 Se ha agotado el tiempo de espera de la conexiÃ³n. Mon 2008-05-12 17:15:27: * 74.125.47.27 added to connection failure cache for 5 minutes Mon 2008-05-12 17:15:27: Intentando SMTP conexiÃ³n con [209.185.147.27:25] Mon 2008-05-12 17:15:27: * 209.185.147.27 in connection failure cache for up to 5 minutes due to previous connection failure(s) Mon 2008-05-12 17:15:27: Intentando SMTP conexiÃ³n con [64.233.183.27:25] Mon 2008-05-12 17:15:27: * 64.233.183.27 in connection failure cache for up to 5 minutes due to previous connection failure(s) Mon 2008-05-12 17:15:27: Este mensaje tiene 2 minutos de antigÃ¼edad; faltan 58 minutos en esta cola Mon 2008-05-12 17:15:27: La sesiÃ³n de SMTP ha finalizado (Bytes entrados/salidos: 0/0) " Intentando conexiÃ³n" >>> " trying connection to" Any suggestion? Thanks Jaime