Hi
I have a situation with Fortigate (501E), no VDOMs. Routing is "on a stick" - no L3 switches.
- There is a web server on 10.10.104.31 (VLAN 104) with VIPs (x.y.89.164:80-> 10.10.104.31:80 and ICMP x.y.89.164 -> 10.10.104.31)
- There is a policy which allows ANY -> VLAN 104 for these VIPs
- There is a routed network x.y.78.0/24 on internal network (VLAN 71)
- There is a server x.y.78.30 on said network (VLAN 71)
- There is policy which allows VLAN 71 -> ANY
The problem is server x.y.78.30 can connect anywhere on the internet EXCEPT this service (x.y.89.164)
On the diag debug flow (with filter "addr x.y.78.30") I can see only packets going in, and they are allowed by policy, ant correctly DNAT'ed to 10.10.104.31
On the other hands ping (x.y.78.30 -> x.y.89.164) works, but the ping reply comes from 10.10.104.31!
asymroute is enabled.
I just can't wrap my head around this, is this NAT somehow not registering ? But it doesn't show even reply direction packets from 10.10.104.31 (even when using ping).
If this would be a same internal network - I would just hairpin NAT to router IP ant call it a day, but on webserver's logs I want to see the real IP (x.y.78.30).
Do you have any ideas?
No comments:
Post a Comment