Hot!NAT/ip policy Problems

Author
Alex Ki
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/10 02:38:40
  • Status: offline
2020/04/10 02:58:39 (permalink)
0

NAT/ip policy Problems

First of all - excuse me for my English,  it's not my first language.
 
Hey guys, a total fortigate noob here, inherited FG from the guy who was working here before me, lots of IP Policy rules and other stuff.
 
I need to NAT 9443->443 from a certain external ip address to a web-server inside, but (I think) traffic keeps hitting wrong IPV4 policy.
 
Here's my VIP config for this:
    edit "NAT to lkbitrix"
        set uuid a685993c-79a2-51ea-8d95-fac7819934af
        set extip <EXTIP>
        set extintf "port1"
        set portforward enable
        set color 9
        set mappedip "192.168.131.7"
        set extport 9443
        set mappedport 443

 
Here are my ip policies i created for that rule:
 edit 142
        set name "SWEB05-NAT-Internet"
        set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816
        set srcintf "port5"
        set dstintf "port1"
        set srcaddr "KAM-SWEB05"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
    edit 141
        set name "A-Internet-SWEB05"
        set uuid c3c5364a-7b07-51ea-6e98-064652b0f36e
        set srcintf "port1"
        set dstintf "port5"
        set srcaddr "all"
        set dstaddr "KAM-SWEB05"
        set action accept
        set schedule "always"
        set service "ALL"
    next

please note that i'm not putting any port/protocols here because i was troubleshooting the rules. I will put specific ports once we go live with this.
 
Now, what happens I think happens is is that traffic gets redirected to port 443 of the EXTIP, on which another service exists.
Here's debug:
192.168.131.7 is the web-server i need to publish
192.168.131.1 is the web-server published on port 443
2020-04-10 12:33:51 id=20085 trace_id=1 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7ae"
2020-04-10 12:33:51 id=20085 trace_id=1 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=1 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:51 id=20085 trace_id=2 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag [S], seq 1457575988, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=2 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7af"
2020-04-10 12:33:51 id=20085 trace_id=2 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=2 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:51 id=20085 trace_id=3 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [S], seq 3828400667, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=3 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7b0"
2020-04-10 12:33:51 id=20085 trace_id=3 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:33:51 id=20085 trace_id=3 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=3 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:33:51 id=20085 trace_id=3 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:33:51 id=20085 trace_id=3 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=4 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828400668, ack 2004987952, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=4 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=4 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=5 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828400668, ack 2004987952, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=5 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=5 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=6 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401185, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=6 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=6 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=7 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401185, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=7 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=7 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=8 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [F.], seq 3828401192, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=8 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=8 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=9 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401193, ack 2004990462, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=9 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=9 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=10 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag [S], seq 2668994186, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=10 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7b9"
2020-04-10 12:33:51 id=20085 trace_id=10 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=10 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=11 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag [S], seq 1457575988, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=11 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7ff"
2020-04-10 12:33:54 id=20085 trace_id=11 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=11 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=12 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52909-><EXTIP>:9443) from port1. flag [S], seq 605093863, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=12 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd800"
2020-04-10 12:33:54 id=20085 trace_id=12 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=12 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=13 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag [S], seq 2668994186, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=13 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd802"
2020-04-10 12:33:54 id=20085 trace_id=13 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=13 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=14 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag [S], seq 1457575988, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=14 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd890"
2020-04-10 12:34:00 id=20085 trace_id=14 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=14 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=15 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52909-><EXTIP>:9443) from port1. flag [S], seq 605093863, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=15 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd891"
2020-04-10 12:34:00 id=20085 trace_id=15 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=15 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=16 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag [S], seq 2668994186, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=16 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd899"
2020-04-10 12:34:00 id=20085 trace_id=16 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=16 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:12 id=20085 trace_id=17 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag [S], seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:12 id=20085 trace_id=17 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd9a1"
2020-04-10 12:34:12 id=20085 trace_id=17 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:12 id=20085 trace_id=17 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:12 id=20085 trace_id=18 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [S], seq 1420091637, ack 0, win 8192"
2020-04-10 12:34:12 id=20085 trace_id=18 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd9a2"
2020-04-10 12:34:12 id=20085 trace_id=18 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:34:12 id=20085 trace_id=18 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=18 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:34:12 id=20085 trace_id=18 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:34:12 id=20085 trace_id=18 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=19 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420091638, ack 824278912, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=19 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=19 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=20 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420091638, ack 824278912, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=20 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=20 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=21 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092155, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=21 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=21 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=21 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=22 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092155, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=22 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=22 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=23 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [F.], seq 1420092162, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=23 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=23 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=23 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=24 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092163, ack 824281422, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=24 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=24 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=24 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:15 id=20085 trace_id=25 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag [S], seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:15 id=20085 trace_id=25 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda40"
2020-04-10 12:34:15 id=20085 trace_id=25 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:15 id=20085 trace_id=25 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:17 id=20085 trace_id=26 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag [S], seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:17 id=20085 trace_id=26 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda84"
2020-04-10 12:34:17 id=20085 trace_id=26 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:17 id=20085 trace_id=26 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:17 id=20085 trace_id=27 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [S], seq 3545820219, ack 0, win 8192"
2020-04-10 12:34:17 id=20085 trace_id=27 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda85"
2020-04-10 12:34:17 id=20085 trace_id=27 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:34:17 id=20085 trace_id=27 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=27 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:34:17 id=20085 trace_id=27 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:34:17 id=20085 trace_id=27 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=28 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820220, ack 2191388383, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=28 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=28 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=28 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=29 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820220, ack 2191388383, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=29 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=29 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=29 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=30 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820737, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=30 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=30 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=30 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=31 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820737, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=31 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=31 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=31 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=32 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [F.], seq 3545820744, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=32 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=32 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=32 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=33 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820745, ack 2191390893, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=33 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=33 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=33 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:20 id=20085 trace_id=34 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag [S], seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:20 id=20085 trace_id=34 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdac4"
2020-04-10 12:34:20 id=20085 trace_id=34 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:20 id=20085 trace_id=34 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:21 id=20085 trace_id=35 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag [S], seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:21 id=20085 trace_id=35 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdadd"
2020-04-10 12:34:21 id=20085 trace_id=35 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:21 id=20085 trace_id=35 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:26 id=20085 trace_id=36 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag [S], seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:26 id=20085 trace_id=36 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdbc9"
2020-04-10 12:34:26 id=20085 trace_id=36 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:26 id=20085 trace_id=36 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"

 
Any help will be very appriciated.
#1

4 Replies Related Threads

    Fullmoon
    Platinum Member
    • Total Posts : 889
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: NAT/ip policy Problems 2020/04/10 04:31:37 (permalink)
    0
    hi,
     
    kindly try this configurations
     
    edit "NAT to lkbitrix"
    set uuid a685993c-79a2-51ea-8d95-fac7819934af
    set extip <EXTIP>
    set extintf "port5" <---changed from port 1 to port 5
    set portforward enable
    set color 9
    set mappedip "192.168.131.7"
    set extport 9443
    set mappedport 443
    edit 142
    set name "SWEB05-NAT-Internet"
    set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816
    set srcintf "port5"
    set dstintf "port1"
    set srcaddr "all" <---changed from KAM-SWEB05 to All
    set dstaddr "NAT to lkbitrix" <---changed from All to NAT to lkbitrix
    set action accept
    set schedule "always"
    set service "ALL"
    set nat enable <----Disabled this
    next

    Fortigate Newbie
    #2
    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: NAT/ip policy Problems 2020/04/10 04:38:57 (permalink)
    0
    You are not redirecting the traffic to your internal server. In policy 141, you need to put the VIP as destination address. That's the way VIPs (destination NAT) work.
    Do that and test again.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    Alex Ki
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/04/10 02:38:40
    • Status: offline
    Re: NAT/ip policy Problems 2020/04/10 05:58:25 (permalink)
    0
    ede_pfau
    You are not redirecting the traffic to your internal server. In policy 141, you need to put the VIP as destination address. That's the way VIPs (destination NAT) work.
    Do that and test again.


    thanks, unfortunately that didn't work.
    new debug is in txt attachement
     
    Fullmoon
    hi,
     
    kindly try this configurations
     
    edit "NAT to lkbitrix"
    set uuid a685993c-79a2-51ea-8d95-fac7819934af
    set extip <EXTIP>
    set extintf "port5" <---changed from port 1 to port 5
    set portforward enable
    set color 9
    set mappedip "192.168.131.7"
    set extport 9443
    set mappedport 443
    edit 142
    set name "SWEB05-NAT-Internet"
    set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816
    set srcintf "port5"
    set dstintf "port1"
    set srcaddr "all" <---changed from KAM-SWEB05 to All
    set dstaddr "NAT to lkbitrix" <---changed from All to NAT to lkbitrix
    set action accept
    set schedule "always"
    set service "ALL"
    set nat enable <----Disabled this
    next


    Thanks for your suggestion.
    When editing set extintf "port5" on "NAT to lkbitrix" i get:
    # set extintf "port5"
    Cannot change 'extintf' while the VIP entry is used.
    in 142 I can't choose NAT to lkbitrix" as it's on the wrong port.
    #4
    Fullmoon
    Platinum Member
    • Total Posts : 889
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: NAT/ip policy Problems 2020/04/10 08:23:49 (permalink)
    0
    appreciate if you could post your  topology most especially which interfaces are facing public and you local network.
     
    attaching link as well for VIP configuration.
    https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500

    Fortigate Newbie
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5