is it possible to map ip between interfaces to allow connection to the map ip ?
i'm using fortigate 100D
3 Interfaces
WAN Interface
LAN1 Interface ( 10.168.1.0/24 ) Fortigate Interface IP : 10.168.1.1
LAN2 Interface ( 10.168.100.0/24 ) Fortigate Interface IP : 10.168.100.1
i'm finding a way to be able to connect to LAN1 ( 10.168.1.30 ) from LAN2 Network.
here's what i did,
1. Create Virtual IP
10.168.1.30 -> 10.168.100.10 (with interface :ANY)
2. set Policy
Policy1) From LAN2 to LAN1 any address allow all to Virtual IP no NAT
Policy2) From LAN1 to LAN2 any address allow all to any address no NAT
which did not work.
what am i missing here ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
How are the new policies ordered - are they above existing policies between LAN1 and LAN2?
Are you using ping to test, or another protocol? Try telnet and see what happens.
Try running a sniff and flow trace to see where the communication breaks down:
di sniff pack any "host w.x.y.z and port x" 4 //--replace w.x.y.z with the source IP of your testing host; the VIP will NAT the destination, so we want to track the IP which will not change as it traverses the FortiGate; also, replace x with the port you are using for testing, i.e. 23 for telnet
<test a telnet session, then press Ctl+C to stop the capture>
di de reset
di de en
di de fl s c en
di de fl s f en
di de fl filter addr w.x.y.z //--same as above
di de fl filter port x //--same as above
di de fl tr start 5000
di de fl tr stop //--type this without pressing Enter before running the test, so that you can easily stop the flow trace later
<run the test, then...>
<Enter>
di de fl filter clear
di de reset
di de di
Regards, Chris McMullan Fortinet Ottawa
@yusaku
Sounds like you got the IP addresses reversed in the VIP if you want to go from LAN2->LAN1. Haven't tested this nor completely worked it out, but maybe you want something similar to the attached pic. Enable NAT if you want source IP (10.168.100.10?) converted to the LAN1 interface IP (or use an IP pool if it's another IP address).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Christopher has it right, get out your diagnostic debug flow and follow the trace. Also recheck all VIP mappings and policies.
ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.