Technical Tip: Access Internal Server in the Same Subnet on its Public IP

Dongfang_Li_FTNT · ‎12-10-2023

Description

This article describes that after adding the source geography address GEO-USA in the VIP policy to allow users only from the USA to access the local server, the internal users in the same subnet are not able to access the server using its public IP address.

Topology:

Existing configuration:

config firewall address

edit "192.168.198.0"

set subnet 192.168.198.0 255.255.255.0

config firewall vip

edit "access-server"

set extip 10.9.1.38

set mappedip "192.168.198.2"

set extintf "port1"

set portforward enable

set protocol icmp

config firewall policy

edit 4

set name "Access Server"

set srcintf "port1"

set dstintf "port2"

set action accept

set srcaddr "GEO-USA"

set dstaddr "access-server"

set schedule "always"

set service "ALL"

set name "Internet"

set srcintf "port2"

set dstintf "port1"

set action accept

set srcaddr "192.168.198.0"

set dstaddr "all"

set schedule "always"

set service "ALL"

set nat enable

Scope

FortiGate.

Solution

Add a policy to allow source subnet 192.168.198.0 to access the local server using virtual IP:

config firewall policy

edit 5

set name "Access Server 2"

set srcintf "port1"

set dstintf "port2"

set action accept

set srcaddr "192.168.198.0"

set dstaddr "access-server"

set schedule "always"

set service "ALL"

Flow trace: In the device 192.168.198.3, ping 10.9.1.38:

di de flow filter clear

di de flow filter proto 1

di de flow trace start 100

di de en

id=65308 trace_id=32 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.198.3:1->10.9.1.38:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=41."

id=65308 trace_id=32 func=init_ip_session_common line=6049 msg="allocate a new session-0007f5df, tun_id=0.0.0.0"

id=65308 trace_id=32 func=get_new_addr line=1228 msg="find DNAT: IP-192.168.198.2, port-1"

id=65308 trace_id=32 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"

id=65308 trace_id=32 func=get_new_addr line=1228 msg="find SNAT: IP-10.9.1.38(from IPPOOL), port-60417"

id=65308 trace_id=32 func=fw_pre_route_handler line=176 msg="VIP-192.168.198.2:1, outdev-unknown"

id=65308 trace_id=32 func=__ip_session_run_tuple line=3498 msg="DNAT 10.9.1.38:8->192.168.198.2:1"

id=65308 trace_id=32 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.198.2 via port2"

id=65308 trace_id=32 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=82, len=3"

id=65308 trace_id=32 func=fw_forward_handler line=922 msg="Allowed by Policy-5: SNAT"

id=65308 trace_id=32 func=__ip_session_run_tuple line=3485 msg="SNAT 192.168.198.3->192.168.198.1:60417"

id=65308 trace_id=33 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.198.2:60417->192.168.198.1:0) tun_id=0.0.0.0 from port2. type=0, code=0, id=60417, seq=41."

id=65308 trace_id=33 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-0007f5df, reply direction"