Helpful ReplyHot!VIP Issue

Author
BWiebe
Silver Member
  • Total Posts : 74
  • Scores: 1
  • Reward points: 0
  • Joined: 2012/06/07 07:54:42
  • Status: offline
2018/10/21 12:28:39 (permalink)
0

VIP Issue

Hey all,
 
I've setup a couple of VIPs with the same external IP to different internal IPs/networks and different ports on a client's firewall running 6.0.3 (previously 6.0.2).
 
One of the VIPs only listens on TCP 7108 and forwards to a server on the Internal LAN.
The other VIP listens on 22 and is supposed to forward to a server on the DMZ LAN (ftp over ssh).
 
The issue is that traffic to the second VIP never seems to get to the firewall.  I sniff the IP and port 22, or I sniff the DMZ IP and port 22 and see nothing.  The first VIP to the internal LAN works perfectly.
 
If I set the second VIP to use port 2222 (for example) and forward to 22, this works fine and responds.  The issue is that I need the 22 to 22 to work.
 
The client has limited IPs to work with or I'd consider using a different IP entirely.
 
This, to me, appears to be a bug with forwarding SSH.  I confirmed I have it disabled on all interfaces for management, and don't see a specific Local-IN Policy using it or other policy using it.
 
If I enable SSH on the WAN interface, it works - so I don't believe it's the ISP blocking the traffic outside the firewall.
 
Thoughts?
 
Just an odd issue....never had issues with VIPs before.
 
Thanks!
#1
BWiebe
Silver Member
  • Total Posts : 74
  • Scores: 1
  • Reward points: 0
  • Joined: 2012/06/07 07:54:42
  • Status: offline
Re: VIP Issue 2018/10/21 12:48:53 (permalink)
0
On further testing, it actually IS the ISP blocking port 22.
 
I missed it in initial test.
#2
ede_pfau
Expert Member
  • Total Posts : 5721
  • Scores: 387
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: VIP Issue 2018/10/21 13:02:06 (permalink)
0
never had issues with VIPs before.
- 100 %!
except maybe for specialities like having a VIP changing an URL to an IP address and thus causing a cert error...even that is solvable.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#3
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Issue 2018/10/22 00:08:41 (permalink)
0
Hi Guys,
 
I'm newbie with this forum and I'm looking for an answer on how to enable telnet to able to access outside. SSH is working fine but telnet with port 4001 assign is not working any idea guys? please help. 
#4
ede_pfau
Expert Member
  • Total Posts : 5721
  • Scores: 387
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: VIP Issue 2018/10/22 04:19:53 (permalink)
0
First off, please don't hijack threads. Just open a new one.
Second, do you allow ALL services in the outbound policy, or have you created a custom service? If so, how does it look like?

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#5
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Issue 2018/10/22 04:28:19 (permalink)
0
Hi Ede,  Thanks btw and sorry if I offend you by replying this treads its just that its the same issue reported since its under the VIP configuration.  Anyway services are ALL but i don't i don't know why its not working. I will create another post for this 
#6
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
VIP Telnet not working 2018/10/22 04:36:29 (permalink)
0
Hi Guys,
 
Need some help, I create port forwarding an its working well, except for Telnet port:4001 
SSH is working fine but telnet is not working any idea?
 
 
#7
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Telnet not working 2018/10/22 05:16:32 (permalink)
0
Please help.. attach screenshot on the configuration made. 
note: SSH and other are working except for TELNET. 
 
 

Attached Image(s)

#8
rwpatterson
Expert Member
  • Total Posts : 8299
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: VIP Telnet not working 2018/10/22 06:51:00 (permalink) ☄ Helpfulby Bogens 2018/10/22 08:06:39
0
Does TELNET work from the inside?

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#9
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Telnet not working 2018/10/22 08:05:54 (permalink)
0
Hi Patterson, - I'm out in office now, but just in-case I can't telnet it locally is there anything that need to change from fortinet setup. Since that server has a telnet before using other device and now when we upgrade it to Fortinet Telnet is not working on VIP.  
#10
rwpatterson
Expert Member
  • Total Posts : 8299
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: VIP Telnet not working 2018/10/22 08:47:40 (permalink) ☄ Helpfulby Bogens 2018/10/22 09:38:41
0
Everything looks good from the 10,000 ft view. Let's get an answer on the local and work from there. Please, get the setups online here for the virtual IP setup and the policy.
 
From the command line:
FGT# show firewall policy <policy_number>
FGT# show firewall vip "<VIP_name>"
 
if using a custom policy, add:
FGT# show firewall service custom "<custom_service_name>"

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#11
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Telnet not working 2018/10/22 10:18:22 (permalink)
0
Hi Petterson - Thanks i still can't understand why its not working when policy has been implemented correctly. I will check tomorrow when i got in office. Btw below policy for your perusal.
 
config firewall policy
edit 14
set srcintf "wan1"
set dstintf "internal" "internal13"
set srcaddr "all"
set dstaddr "SliceCom"
set action accept
set schedule "always"
set service "ALL"
next
#12
rwpatterson
Expert Member
  • Total Posts : 8299
  • Scores: 181
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: VIP Telnet not working 2018/10/22 11:57:03 (permalink)
0
Two destination interfaces for one object? That's new to me... I do know that it is a group, but still, I wasn't aware you could do that. Is that a newer feature?

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#13
tanr
Platinum Member
  • Total Posts : 634
  • Scores: 21
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: VIP Telnet not working 2018/10/22 12:45:50 (permalink)
0
Security Policy with multiple interfaces can be turned on as an optional feature.  Not really recommended unless you really need it.
#14
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Telnet not working 2018/10/22 12:52:57 (permalink)
0
Actually its like a router on the stick setup.. so yes you can do it. It's like creating a VLAN in an interface although I use other interface for it, btw that "internal" got multiple vlan on it and internal14 is different network. 
#15
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Telnet not working 2018/10/22 12:57:44 (permalink)
0
Tars
 
is that mean it will affect the port forwarding? i don't think so, logically speaking only TELNET is not working here other port forwarding created is working fine.  Beside is like a router-on-a-stick setup a basic and older configuration on networking basis that consists of a router and switch connected using one Ethernet link configured as an 802.1q trunk link.  
#16
tanr
Platinum Member
  • Total Posts : 634
  • Scores: 21
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: VIP Telnet not working 2018/10/22 13:18:56 (permalink)
0
Don't know that it would effect port forwarding. 
Though that security policy rule accepting any service from the wan to your internal IP is a little scary!
 
Since this is a VIP, does your security policy have "match-vip enable" set?
Do you have a local-in-policy that blocks telnet?  That's somewhat common.
Do you have a security policy earlier in your list that might catch the telnet traffic and deny it?
 
You should attempt to access the VIP by telnet then look at your traffic logs for that service.
 
#17
Bogens
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/22 00:02:52
  • Status: offline
Re: VIP Telnet not working 2018/10/23 01:57:21 (permalink)
0
 
Hi Guys, Below test for the telnet issue I've encounter. SSH is working but telnet cannot. Is there any configuration I miss even internal are not able to telnet.  
 
FW # execute telnet 20.20.20.18 4001
Trying 20.20.20.18...
Failed to connect to specified unit.
 
FW # execute telnet 20.20.20.18 23
Trying 20.20.20.18...
Failed to connect to specified unit.
 
FW # execute telnet 20.20.20.18 22
Trying 20.20.20.18...
Connected to 20.20.20.18.
SSH-2.0-OpenSSH_7.2
Protocol mismatch.
Connection closed by foreign host.
  
 
 
#18
Jump to:
© 2018 APG vNext Commercial Version 5.5