Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KPS
New Contributor III

NAT + Hairpin-NAT for Virtual Server

Hi!

 

I need to migrate from an UTM-System to a Fortigate where the old system is acting as an SMTP-server.

 

What I want to accomplish is:

- Install new MTA with IP x.x.x.x

- If on ANY internal interface of the fortigate, a connection is coming in with destination: FG-IP:25, forward to MTA

 

What I tried is using a Virtual-IP:

 

config firewall vip
    edit "Hairpin-VIP"
        set uuid 27ae0c6e-61a9-51e9-d09b-4712492d2507
        set extintf "lan"
        set portforward enable
        set mappedip "x.x.x.x"
        set extport 25
        set mappedport 25
    next
end
config firewall policy
    edit 15
        set name "Hairpin-Policy"
        set uuid 540b72ec-61a9-51e9-06fb-876ebf0b8ac1
        set srcintf "lan"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end

 

...without success...

 

Can you give me a hint on how to solve this?

 

Thank you

KPS

1 REPLY 1
KPS
New Contributor III

Hi!

 

I just found the problem:

 

ANY-policies do not cover virtual-services.

The "hairpin-policy" need to target to the service "Hairpin-VIP"

 

Labels
Top Kudoed Authors