Natting not working. Reply not being recevied on remote Server

Author
fgallardo
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/06 04:17:53
  • Status: offline
2019/11/06 04:23:18 (permalink)
0

Natting not working. Reply not being recevied on remote Server

 
Version: Version: FortiGate-100E v6.0.2,build0163,180725 (GA)
We have a problem with a simple NAT creation. If you can point to a proper resource for that that would be great. I searched on the internet and Fortinet web but I could find a guide that works.
 
=>General description: There is an internal network that get internet access via the Fortinet. NAT is necessary.
=>Problem: The external connections get to the internal machines, but the reply is never routed to the DMZ interface, where the internet connection is connected to and from where the internet requests get to the internal network (again, the requests from the outside would get into the network, the reply is never routed back (and those are getting to the FW the problem is the FW is not getting those out)).
 
=> Followed process:
  1. Interfaces properly configured.
  2. Static route (In network-> Static routes) was created, to the gateway of the network where the DMZ port is connected. Destination: 0.0.0.0/0 Gateway: The IP of the gateway. The Interface was automatically and properly picked by the FW.  
  3. The public IP of the server that is allowed to connect to the platform was created (Policy & Objects -> Addresses).
  4. Two Virtual IPs were created. One with public server IP to the internal server and another from the IP of DMZ port to the internal server (in Policy & Objects -> IPv4 Policy). Then a IPv4 Virtual IP Group was created, including the two virtual IPs.
    1. Each of the Virtual IPs has Port Forwarding allowed with the needed ports.
  5. Two policies (Policy & Objects -> IPv4 Policy) were created: One for allowing the traffic from DMZ to LAN, for the public server IP to the Virtual IPs group and another one allowing any traffic from LAN to the DMZ.
      1. Each of the policies has NAT enabled with “Use outgoing Interface Address” option.
The problem is, when trying to access from the Internet server, the traffic is received in the internal server, in the expected port, so NAT from the internet is working as expected. Then the internal server replies and the reply gets to the FW, but the FW never sends the reply back to the internet via the DMZ port.  What am I missing?
 
Thanks a lot
BR
#1

1 Reply Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1531
    • Scores: 167
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Natting not working. Reply not being recevied on remote Server 2019/11/06 06:50:44 (permalink)
    0
    If you have "public servers" with public IP addresses that are mapped to an internal IP address(es) behind the fgt firewall, the, you likely need to set up a VIP in the opposite direction, using a one-to-one IP pool. 
     
    Very base example....
    -------------------------
    config firewall address
        edit "internal-server"
            set subnet 192.168.0.xx 255.255.255.255
        next
    end
    -------------------------
    config firewall ippool
        edit "ServerIP-pool"
            set type one-to-one
            set startip 204.199.90.xx
            set endip 204.199.90.xx
        next
    end
    -------------------------
    config firewall vip
        edit "VIP-to-internal-server"
            set extip 204.199.90.xx
            set extintf "wan1"
            set mappedip "192.168.0.xx"
        next
    end
    -------------------------

    config firewall policy
        edit 0
            set srcintf "internal_net"
            set dstintf "wan1"
            set srcaddr "internal-server"
            set dstaddr "All_External"
            set action accept
            set schedule "always"
            set service "ALL"
            set ippool enable
            set poolname "ServerIP-pool"
            set nat enable
        next
        edit 0
            set srcintf "wan1"
            set dstintf "internal_net"
            set srcaddr "All_External"
            set dstaddr "VIP-to-internal-server"
            set action accept
            set schedule "always"
            set service "Web Access"
            set nat enable
        next
    end

    -------------------------


    Take extra security precautions (like applying IPS or other UTM features) to safeguard your "public" servers if they are housed behind your fgt.  

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5