Accessing internal server by it's public VIP?

Zenith · ‎11-17-2014

Hi guys,

I've done a search and come across a few answers but wonder if anything has changed in the later versions of FortiOS to make this simpler.

Suppose we have two servers on the internal-side of a Fortigate (in some cases on the same interface, in some cases on a different interface (VLAN)). They can communicate with each other using their own internal IP addresses, but how to we allow them communicate using their public/external IP addresses? We are using StaticNAT VIPs to assign these external addresses.

On some other firewalls you have a feature (sometimes called NAT Loopback) that allows servers like the ones above communicate using their assigned external addresses, I guess the routing engine of the fw recognises the external address as the Desintation on packets so runs them through the NAT processor. Is there any way of doing this on the Fortigate without using a Policy Route (which would not suit in our case due to the large number of external IPs going to various different VLANs)?

Thanks!

drak · ‎11-19-2014

You should look into this: http://kb.fortinet.com/kb/documentLink.do?externalID=FD33976 (Technical Note : How internal users can access internal resources via an external VIP (public IP address)).

The main gotcha is using the external interface as 'any'.

Zenith · ‎11-20-2014

Ah yes, simple as that, thanks! Not sure how I managed to miss that article!

enrico_denora · ‎11-20-2014

I have a Fortigate 40C and I need the possibility to access internal server using the public IP from the internal LAN.

Example: our commercial people when connecting from outside use the public IP to access IMAP mail. When they come in the office and are connected to the internal LAN nothing is workin.

How can I manage a NAT loopback? thank you very much

Dave_Hall · ‎11-20-2014

enrico.denora wrote:
I have a Fortigate 40C and I need the possibility to access internal server using the public IP from the internal LAN.

Example: our commercial people when connecting from outside use the public IP to access IMAP mail. When they come in the office and are connected to the internal LAN nothing is workin.

How can I manage a NAT loopback? thank you very much

An alternate solution [strike]to VIP and/or NAT[/strike] would be to set up the server(s) to be accessible by FQDN (resolvable by DNS) then setup DNS translation on the inside. See KB #FD34099 for a sample setup.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Zenith · ‎11-21-2014

Enrico I'd agree with Dave, for a case like that you'd probably be better off with split-DNS assuming you control the DNS server these users use when they are in the office. This isn't an option for our case due to there being a large number of servers and us not controlling the DNS server...

Paul_Dean · ‎11-21-2014

Agreed. We used to use the DNS Database feature on the smaller FortiGates until it was removed. The DNS Translation feature is a useful alternative for you.

NSE4

Dave_Hall · ‎11-21-2014

Keep in mind that the DNS Translation option does not need to have an DNS server on the inside; from what I can tell (from my own experimenting) the Fortigate will translate any dns query that crosses over an interface (assuming this part).

The example provided in KB #FD34099 shows an DNS server on the outside (WAN1) connection.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C