Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

How To Troubleshoot Port Forwarding Issue From External To Internal Network

Here in this article let us understand how to troubleshoot when DNAT is not working from external to internal network in fortigate firewall

Lets say you hosted one internal webserver on port “4444”, firewall has public IP address “101.23.24.35” and your internal server IP address is “10.1.1.10”. The requirement is when someone accessing ip address “101.23.24.35” from external network on port “44444” traffic should be forwarded to “10.1.1.10”

Here is the topology:

port forwarding

I will assume you have done configuration part, you can use this article for reference:

How To Configure DNAT In Fortigate Firewall From WAN To LAN With Same Port

Troubleshooting Step-1:

First you need to identify whether the traffic is hitting the firewall or not when someone from the internet accessing the firewall on public IP. To check it, please execute the below command in console of the firewall:

#diag sniffer packet any ‘host a.b.c.d’ 4 0 a (where a.b.c.d refers to public IP address of the client machine from where user is trying to connect)

If you could see IN packets, then it is fine, if you could not see IN packets you need to check with ISP it will not be firewall issue

Troubleshooting Step-2:

Lets say if you could see IN packets but there are no OUT packets in the firewall, then the issue is related to firewall only. You need to check firewall policy is defined properly or not. May be you did not configured VIP policy correctly. You can check this article for reference again:

How To Configure DNAT In Fortigate Firewall From WAN To LAN With Same Port

Troubleshooting Step-3:

Lets say if you could see traffic is going out of the firewall in the sniffer which you have taken earlier, but there is no reply from the server. This situation will happen if either the machine is not responding or some networking device in the middle between firewall and webserver would have blocked that site.

So you need to check in the internal network whats happening to the packet.

Troubleshooting Step-4:

Sometimes there will be scenario where when request coming from external network PC, internal web server will not accept the packet and it will send reset packets. The web server will accept connection only from its own network. So in those scenarios, you need to enable NAT in the firewall policy of WAN to LAN.

If you disable NAT in WAN to LAN VIP policy, the packet flow will be like:

When packet entering the firewall: IN packet: client public IP——> Firewall public IP

When packet leaving the firewall: OUT packet: Client public IP——> Webserver IP

If you enable NAT in WAN to LAN VIP policy, the packet flow will be like:

When packet entering the firewall: IN packet: client public IP——> Firewall public IP

When packet leaving the firewall: OUT packet: Firewall LAN IP——> Webserver IP

Hope this article helps you 🙂