Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tronton_team
New Contributor

Created on ‎11-07-2016 12:30 AM

(ask) Cannot access ip public from internal network

hello, i want to ask, i have ip public 2.2.2.2 that mapped with virtual IP to internal network 192.168.10.5 to access CCTV,

if iam outside network and use mobile data with my phone i can access cctv with ip 2.2.2.2, but if i use my internal network and access cctv with my public ip 2.2.2.2 cannot access cctv, how to solve that problem? sory for my bad english.

8506
0 Kudos
6 REPLIES 6
Nils
Contributor II

Created on ‎11-07-2016 12:42 AM

Try to create a rule/policy from Internal to Internal with the VIP object as destination.

Not sure if this is working but give it a try.

3968
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Nils

Created on ‎11-07-2016 01:19 AM

The policy is necessary, and the VIP must be connected to the "any" interface, not "wan". Please search the forums for "hairpin", this problem has been posted several times (with solutions).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3968
0 Kudos
tronton_team
New Contributor
In response to ede_pfau

Created on ‎11-07-2016 02:12 AM

thx for your answer, i try to search with keyword hairpin in forums

3968
0 Kudos
MikePruett
Valued Contributor
In response to tronton_team

Created on ‎11-07-2016 11:42 AM

Is this really a "bug" though or is it just that the FortiGate follows RFC exactly.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
3968
0 Kudos
Nils
Contributor II
In response to MikePruett

Created on ‎11-08-2016 12:38 AM

MikePruett wrote:

Is this really a "bug" though or is it just that the FortiGate follows RFC exactly.

It's not a bug, it just how the firewall is working.

Same problem with Cisco ASA for example.

If not don't allow the traffic on a interface, the firewall will drop the traffic.

3968
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Nils

Created on ‎11-08-2016 03:51 AM

Never thought of this as being a bug. "Life of a packet" says NAT comes first, then policy. So essentially you make an 'internal' to 'internal' connection. This is reflected in the policy.

 

The only tricky (as in: hidden) part is that the VIP needs to be unbound, i.e. bound to 'any'. This is an implementation detail as the VIP triggers arp proxying as well as address translation. Specifying the VIP's interface restricts the arp action to what is necessary, releaving the CPU. In this case, it needs to be 'listen to all traffic' though.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3968
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.