- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Yet another VIP thread
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yet another VIP thread
I have a 50-E running 5.4.4. It is currently configured and working fine. I have a second 50-E at another building that is also working and an IPsec tunnel exists between the two.
I am coming from Junipers, so I feel somewhat comfortable but am running into difficulty w/ VIPs. In fact I just deployed these 50Es to replace a Juniper 208 and 5gt. The VIP service on the Junipers worked without issue.
I am attempting to allow outside remote access directly to some DVR systems.
I have 5 public IPs attached to wan1 from the ISP box.
Public IP of the wan1 is set to x.x.x.176
VIP I am configuring is x.x.x.168
I have configured custom services and grouped them for this task. I will be speaking specifically of just one as whatever the issue is will be resolved once that connects.
DVR1 service > TCP protocol. 10.0.0.150 internal IP. TCP Range: dest 0-65535 src 5000
VIP for DVR > external range x.x.x.168 to x.x.x.168. Mapped address is 10.0.0.1 NAT disabled. prt forwarding TCP external 5000 and mapped 5000.
Policy is: wan to lan. src all. destination address is the vip group. service is all the DVR services. This is the only wan to lan policy so nothing above it to create havoc.
I am able to connect directly to the DVRs on the internal so they are functioning fine.
I'm at a loss. Any help would be very appreciated.
Labels:
- Labels:
-
5.4
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try removing the IP from the service, it looks like your src and dst service ports are backwards. it should be reversed. from any source port to destination port 5000. Also remove port forwarding from your VIP and let the security policy(and service) dictate what ports are allowed in.
Hope that helps
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that doesnt work then can you show us the CLI config for you have.
config firewall service custom
edit xxx
show
end
config firewall vip
edit xxx
show
end
config firewall policy
edit xx
show
end
put the name or number each entry where the x's are. Replace any sensitive information as needed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eugene.milon wrote:I have verified that the other public addresses are routing as they should. That would've been easier to blame it on the ISP, but at least it's ruled out.If that doesnt work then can you show us the CLI config for you have.
config firewall service custom
edit xxx
show
end
config firewall vip
edit xxx
show
end
config firewall policy
edit xx
show
end
put the name or number each entry where the x's are. Replace any sensitive information as needed.
CLI config
The two custom services:
--More-- edit "DVR1 Server"
--More-- set category "Camera Systems"
--More-- set iprange 10.0.0.150
--More-- set tcp-portrange 0-65535:5000 0-65535:100
--More-- next
--More-- edit "DVR2 Server"
--More-- set category "Camera Systems"
--More-- set iprange 10.0.0.151
--More-- set tcp-portrange 0-65535:5001 0-65535:100
--More-- next
--More-- end
VIPs
edit "DVR1 Server"
set uuid xxxx
set extip x.x.x.168
set extintf "wan1"
set portforward enable
set mappedip "10.0.0.150"
set extport 5000
set mappedport 5000
next
edit "DVR2 Server"
set uuid xxxx
set extip x.x.x.168
set extintf "wan1"
set portforward enable
set mappedip "10.0.0.1"
set extport 5001
set mappedport 5001
Policy
wan:
set name "internet"
set uuid xxxx
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
DVR
--More-- set name "DVR access"
--More-- set uuid xxxx
--More-- set srcintf "wan1"
--More-- set dstintf "lan"
--More-- set srcaddr "all"
--More-- set dstaddr "DVRs"
--More-- set action accept
--More-- set schedule "always"
--More-- set service "DVR1 Server" "DVR2 Server"
--More-- set logtraffic all
I have other policies related to the tunnel and wifi and such but shouldn't be relevant here.
Thanks again for the help. I will continue at this but will call support if need be.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the inbound portforwarding is correct since were using the same public my mistake, VIPs are almost correct, but it seems to me your inbound VIP will not work because the service is not allowing that port. Try create a new service for testing and only set the destination for to 5000-5001. On the inbound your source port will always change due port address translation but the destination port will remain the same. If were talking about inbound traffic that's what I think would fix it. Also if your trying to do a uturn NAT (access the public IP from the inside) then you can remove the interface from the VIP. If you run the following commands it will show your the logic of allow/deny when your testing
diagnose debug flow filter daddr X.X.X.168
diagnose debug flow trace start 200
diagnose debug enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried removing the IP from the service, no change.
The src and dest ports are not backwards. src is 5000. dest is full range.
Attempting to remove port forwarding from the VIP and let it refer to the service comes back that a duplicate entry already exists. Besides, I understood that by removing port forwarding that it starts down the path of a one to one and I wouldn't be able to define multiple internal IPs.
I have plans for after hours to test to make sure this .168 public ip for remote VIP access is still being routed by the ISP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BenJ wrote:To me that is reversed. Source should be any, destination should be 5000. When you go to a web page for example, you specify the destination port (80 for HTTP), not the source port. Try getting to a server when the port is a moving target. Makes no sense... That would be synonymous to delivering a package to an apartment building without knowing the apartment number. Who cares where it came from (source port 5000), the Internet needs to know where exactly it needs to go (destination 5000!).I tried removing the IP from the service, no change.
The src and dest ports are not backwards. src is 5000. dest is full range.
Attempting to remove port forwarding from the VIP and let it refer to the service comes back that a duplicate entry already exists. Besides, I understood that by removing port forwarding that it starts down the path of a one to one and I wouldn't be able to define multiple internal IPs.
I have plans for after hours to test to make sure this .168 public ip for remote VIP access is still being routed by the ISP.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eugene.milon wrote:If the port forwarding is removed from the VIP, then ALL ports will be forwarded basically clobbering any other access to that IP address. You should never do this if you only have a single IP address to work with.Hi,
Try removing the IP from the service, it looks like your src and dst service ports are backwards. it should be reversed. from any source port to destination port 5000. Also remove port forwarding from your VIP and let the security policy(and service) dictate what ports are allowed in.
Hope that helps
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
What capture tells if run 'diag sniffer packet any 'host VIP or mappedIP' 4'? Below debug commands are also helpful.
diag debug flow filter dport 5000
diag debug flow trace start 10
Regards
Related Posts
- SSL VPN for MAC M1 MAX 418 Views
- FortiClient VPN 7.0.8 and 7.2.3 326 Views
- FSSO Windows NPS 341 Views
- FortiAuthenticator ERROR: No mutually acceptable types... 810 Views
- Can I load the config from... 548 Views
Labels
-
FortiGate
6,448 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.