Description
====================
Users need to access to our external services that is installed internally and published to internet via VIP (Virtual IP).
Issue
====================
Users can access to that service by using internal IP address but can't reach external IP address when they are in the office and using internal network.
Cases
====================
Case 1: Users and Services are using same port to Fortigate.
Solution (Case 1):
Firewall VIP
When configure VIP, external interface must set for "ALL"。
config firewall vip
edit "Server1"
set extip 67.2.22.22
set extintf "any" <<< Specifying "any" is a requirement
set mappedip 172.18.10.1
Firewall Policy
1. Allow WAN to Port1 and Port1 to Port 1。
config firewall policy
edit 4
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
next
edit 3
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
Note: This is my case, I completed the configuration above but users still can't access to external services via VIP.
After review my network topology, all internal routing are completed on core switch, FG doesn't not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That's all, every thing works like a charm.
Reference Fortigate KB:
Technical Note : How internal users can access internal resources via an external VIP (public IP address)
config firewall vip
edit "Server1"
set extip 67.2.22.22
set extintf "any" <<< Specifying "any" is a requirement
set mappedip 172.18.10.1
Firewall Policy
1. Allow WAN to Port1 and Port1 to Port 1。
config firewall policy
edit 4
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
next
edit 3
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
Note: This is my case, I completed the configuration above but users still can't access to external services via VIP.
After review my network topology, all internal routing are completed on core switch, FG doesn't not know what subnets we have internally. I need to add policy route to FG to tell it when package come from Port 1 and need to access to another subnet, it needs to forward the package to Port1 for routing. That's all, every thing works like a charm.
Case 2: Users and services are in different port on Fortigate
Solution (Case 2):
Firewall VIP
When configure VIP, external interface must set for "ALL"。
config firewall vip
edit "Server1"
set extip 67.2.22.22
set extintf "any" <<< Specifying "any" is a requirement
set mappedip 172.18.10.1
next
config firewall vip
edit "Server1"
set extip 67.2.22.23
set extintf "any" <<< Specifying "any" is a requirement
set mappedip 172.18.50.1
Firewall Policy
1. Allow "WAN to Port1"、"WAN to Port3"、"Port1 to Port1" and "Port1 to Port3"。
config firewall policy
edit 4
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
next
edit 3
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
next
edit 5
set srcintf "WAN"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Server2"
set action accept
set schedule "always"
set service "ANY"
next
edit 6
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Server2"
set action accept
set schedule "always"
set service "ANY"
next
end
config firewall vip
edit "Server1"
set extip 67.2.22.22
set extintf "any" <<< Specifying "any" is a requirement
set mappedip 172.18.10.1
next
config firewall vip
edit "Server1"
set extip 67.2.22.23
set extintf "any" <<< Specifying "any" is a requirement
set mappedip 172.18.50.1
Firewall Policy
1. Allow "WAN to Port1"、"WAN to Port3"、"Port1 to Port1" and "Port1 to Port3"。
config firewall policy
edit 4
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
next
edit 3
set srcintf "port1"
set dstintf "port1"
set srcaddr "all"
set dstaddr "Server1"
set action accept
set schedule "always"
set service "ANY"
next
edit 5
set srcintf "WAN"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Server2"
set action accept
set schedule "always"
set service "ANY"
next
edit 6
set srcintf "port1"
set dstintf "port3"
set srcaddr "all"
set dstaddr "Server2"
set action accept
set schedule "always"
set service "ANY"
next
end
Reference Fortigate KB:
Technical Note : How internal users can access internal resources via an external VIP (public IP address)
Hi Bro, I need your Help, can you give an example of the policy Route for case 1?
ReplyDeleteI havent any word to appreciate this post.....Really i am impressed from this post....the person who create this post it was a great human..thanks for shared this with us. vpn reviews
ReplyDeleteWonderful site. Lots of useful info here. I’m sending it to several pals ans additionally sharing in delicious. And obviously, thanks to your sweat!
ReplyDeleteExcellent post. I used to be checking continuously this blog and I am impressed!
ReplyDeleteVery useful information specifically the remaining phase
https://www.techlazy.com/websites-to-watch-free-movies-online-without-downloading/
Fine way of describing, and pleasant piece of writing to get information concerning my presentation subject
ReplyDeleteregards:https://www.techlazy.com/live-tv-streaming-sites/
Very good web page, thank oneself for the exciting material for guaranteed I am going to be back.Regards: Eve Hunt
ReplyDelete