Hello I have a VIP for the server SCMAAS01 (10.128.0.30) where external IP is 10.146.136.30 and internal is 10.128.0.30. This VIP is just used in a policy (id 49) from an IPsec tunnel. (VPN_2_ETA) to internal interface (SERVER) for all protocols. For the other direction, I use an IP_POOL named NAT_SCMAAS01 where external IP range is 10.146.136.30-10.146.136.30 of type One-to-One. This object is only used in the policy (id 48) to internal interface (SERVER) from an IPsec tunnel. (VPN_2_ETA) for all protocols. Now, this server (10.128.0.30) is unable to go to internet. a policy exist to allow the trafic but I saw in the log that SNAT is applied too... In the policy (id 50) to allow this server to go to internet, NAT is configured of course but we don't use the NAT_POOL but the outgoing interface (195.141.249.225). Below the log.
SCMAFW01 # 2018-09-13 11:33:22 id=20085 trace_id=1503 func=print_pkt_detail line=5292 msg="vd-root received a packet(proto=6, 10.128.0.30:61013->8.8.8.8:53) from SERVERS. flagCan you help me please ?, seq 4119206949, ack 0, win 8192"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=init_ip_session_common line=5451 msg="allocate a new session-005aed6c"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=vf_ip_route_input_common line=2576 msg="find a route: flag=04000000 gw-195.141.249.17 via wan1"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=fw_forward_handler line=743 msg="Allowed by Policy-50: SNAT"
2018-09-13 11:33:22 id=20085 trace_id=1503 func=__ip_session_run_tuple line=3190 msg="SNAT 10.128.0.30->10.146.136.30:61013"
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi ,
Can u traceroute to internet (8.8.8.8) from the server and check , may be you have configured policy based route for server .
Regds,
Ashik
Hello @ashik,
no I haven't PBR on this firewall.
PS C:\Users\Administrator> TRACERT.EXE 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.128.0.1
2 * * * Request timed out.
3 * * * Request timed out.
10.128.0.1 is the gateway on the fortigate for this server.
Looks like you have issues in static route or may policy .
Regds,
Ashik
no... I have dozen of other servers in the same vlan and all is working fine. This server has a problem because it is the only one that have VIP and specific NAT on it.
yes and I guess I found my problem: When using vip without Port Forwarding enabled, the Internal IP address in the Mapped field would be translated to the IP address configured as the External Address in the VIP settings.
I need to specify port-forwarding first and probably the interface or the sources IP
VIP Setting is mainly applied for incoming traffic to server not to out going , so it shouldn't be a problem i believe .
Just check policy or routing .Or you might have any persistence route in the server , check using route print .
Regds,
Ashik
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1734 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.