Hot!Allowing LAN Internal Network To A DMZ Device

Author
SilentDude
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/25 21:57:52
  • Status: offline
2019/08/25 22:13:45 (permalink)
0

Allowing LAN Internal Network To A DMZ Device

Hello People,
 
User asked me to allow lan network to access a dmz device ip: 10.10.10.50
lan ip-range is 192.168.100.110-192.168.100.210 gateway: 192.168.100.99
 
1- i went to addresses > create new> i didnt find a place to create an object for dmz device 10.10.10.50
so the first question question how do i create an object and give it a name and an ip address. what i found is to create subnet and ip range and this is not what i was looking for.
i need to create this dmz object because i want to allow lan only to this dmz machine. how do i do that in forti.
 
2- what i did for now for testing is allowing lan to all dmz network, even this didnt work and i dont know why...
i went to policy and objects > addresses > created 2 new ip range pbjects
name dmz-network and name internal-network ip ranges.
then i went to ipv4 policy > create new
name: lan_to_dmz
incoming interface: internal
outgoing interface: dmz
source: internal network
destination: dmz-network
shedule: always
service: all
action: accept
nat: disabled
 
when i went to a pc in lan tried to ping 10.10.10.50 there was no ping?
how do i go from here? please assist.
#1

4 Replies Related Threads

    sw2090
    Gold Member
    • Total Posts : 396
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Allowing LAN Internal Network To A DMZ Device 2019/08/26 00:41:35 (permalink)
    0
    what did you put into your ranges?
    you can enter one host as a subnet wih <ipofhost>/255.255.255.255 as a FGT Address object.
    If 10.10.10.50 is the ip of the dmz interface, does the interface allow ping?
    Is that dmz_network connected to the dmz interface?
    #2
    SilentDude
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/25 21:57:52
    • Status: offline
    Re: Allowing LAN Internal Network To A DMZ Device 2019/08/26 01:32:36 (permalink)
    0
    Hello,
     
    ok i create the dmz object.
    10.10.10.50  is a device in dmz network listening on port 80
    10.10.10.1/255.255.255.0  dmz interface
     
    i need to allow ALL lan Computers to access one specific device in dmz 10.10.10.50 on port
    when they open a browser lan users type: 10.10.10.50  and they should reach a web interface.
    lan interface is: 192.168.100.99
     
    hope its more clear now.
    #3
    sw2090
    Gold Member
    • Total Posts : 396
    • Scores: 21
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Allowing LAN Internal Network To A DMZ Device 2019/08/26 01:48:09 (permalink)
    0
    hm ok
    your policy seems to be correct so far. 
    If you enable ping access on your dmz interface and then try to piing 10.10.10.1 from out of you lan ip range - does that work?
    Do you have any other policy that matches that traffic and comes before this one?
     
    For further debug you might use the debug package flow feature on cli:
     
    diag debug enable
    diag debug flow show console enable
    diag debug flow filter clear
    diag debug flow filter daddr 10.10.10.50
    diag debug flow trace start <numberofpackets>
     
    then ping 10.10.10.50 and watch the console. You will see the incoming ping (ICMP Echo) and you will see what happens to it.
    #4
    SilentDude
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/25 21:57:52
    • Status: offline
    Re: Allowing LAN Internal Network To A DMZ Device 2019/08/26 04:07:21 (permalink)
    0
    hello,
     
    thanks for your response.
     
    1- tried to ping from lan computer not ping to dmz interface 10.10.10.1 pr the dmz device
    ping is enabled on dmz interface
     
    2- no policy other policy that matches that traffic and comes before this one
     
    i run debug and this is what i see
     

    Connected
    FGT60ETK18099PXJ # diag debug enable

    FGT60ETK18099PXJ #
    FGT60ETK18099PXJ # diag debug flow show console enable

    command parse error before 'console'
    Command fail. Return code -61

    FGT60ETK18099PXJ #
    FGT60ETK18099PXJ # diag debug flow filter clear

    FGT60ETK18099PXJ #
    FGT60ETK18099PXJ # diag debug flow filter daddr 10.10.10.50

    FGT60ETK18099PXJ #
    FGT60ETK18099PXJ # diag debug flow trace start

    FGT60ETK18099PXJ # id=20085 trace_id=1 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 192.168.100.153:1->10.10.10.50:2048) from internal. type=8, code=0, id=1, seq=104."
    id=20085 trace_id=1 func=init_ip_session_common line=5654 msg="allocate a new session-01c712b4"
    id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.10.10.50 via dmz"
    id=20085 trace_id=1 func=fw_forward_handler line=751 msg="Allowed by Policy-8:"
     
    policy 8 is the rule that allow all traffic from lan to dmz.
     
    what's next?
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5