Hot!Port Forward in Fortigate 60D (v5.4.6)

Author
ricardomaguiar
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 14:14:18
  • Status: offline
2019/12/02 14:26:20 (permalink)
0

Port Forward in Fortigate 60D (v5.4.6)

I created an IPv4 Policy rule for RDP access to an external server. 
In the field "Source" is set to ALL where access works very well.
Now I want to change the "Source" to an IP of a network, so I created an Addresses with IP / Netmask and changed it in the "Source"
of IPv4 Policy but I can't access it.

Need help!

Ricardo Aguiar
From Brazil
#1

4 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Port Forward in Fortigate 60D (v5.4.6) 2019/12/02 14:58:57 (permalink)
    0
    If the change is really only the "source" on the policy, either you miscalculated subnet mask or the actual source IP is not what you're thinking. If you run sniffer like "diag sniffer packet any 'net 192.168.0.0/24 and port 3389' 4" while attempting RDP access, you can see the actual source IP address coming from.
     
    If they are correct and still the packets don't go out toward the outgoing interface, that's when you need to run "flow debug" to see why they're dropped.
    #2
    ricardomaguiar
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/02 14:14:18
    • Status: offline
    Re: Port Forward in Fortigate 60D (v5.4.6) 2019/12/02 16:45:07 (permalink)
    0
    Hi Toshi,
    See result below.
    172.16.48.4 is my server TS port 3389
    192.168.20.254 is a Gateway in Static Router from internal2 interface.
     
    # diag sniffer packet any 'net 172.16.48.4/32 and port 3389' 4
    interfaces=[any]
    filters=[net 172.16.48.4/32 and port 3389]
    7.124401 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: syn 2354227045 
    7.124709 internal1 in 172.16.48.4.3389 -> 192.168.20.254.58892: syn 2430609721 ack 2354227046 
    7.339549 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: ack 2430609722 
    7.339663 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: psh 2354227046 ack 2430609722 
    7.343909 internal1 in 172.16.48.4.3389 -> 192.168.20.254.58892: psh 2430609722 ack 2354227093 
    7.650827 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: ack 2430609741 
    9.923764 internal1 out 192.168.20.254.58892 -> 172.16.48.4.3389: rst 2354227093 ack 2430609741 
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Port Forward in Fortigate 60D (v5.4.6) 2019/12/03 08:36:42 (permalink)
    0
    So you originally meant to say ...
    "I created an IPv4 Policy rule for RDP access to an internal server (172.16.48.4 connected via internal1) from outside." If that's the case, I see NAT is on at the policy. The server should see the source IP address (outside IP) when the packets arrive. Turn the NAT off then try again.
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 1791
    • Scores: 145
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Port Forward in Fortigate 60D (v5.4.6) 2019/12/03 09:31:47 (permalink)
    0
    Oh, I forgot you mentioned "changing source changes behavior". Probably you took source and destination reversed. In this cause, currently NAT(SNAT) is on at the router and changing source to its own IP. Then all "source" at the FGT's policy should be 192.168.20.254. And the destination is 172.16.48.4 at port 3389.
    But once you turn off NAT at the router, you should set the source "all" if it's coming from the internet.
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5