05-27-2020 06:41 AM
i have ASA 5510 firewall and Fortigate is connected to vlan interface in ASA. I have public IP address NATed (object NAT) to the outside interface of the Fortigate. the NAT doesn't seems to work, I see the traffic hitting the public IP address but not the outside interface of the Fortigate. any suggestions ?
Solved! Go to Solution.
05-31-2020 04:44 AM
thanks for your help.
still getting the same issue. please find below the out put of packet tracer after removing the twice NAT:
-FW01/pri/act# show run nat | include CD-BFS-NORTH
object network CD-BFS-NORTH
FW01/pri/act# show nat | include CD-BFS-NORTH
1 (EPL_VPN) to (OUTSIDE) source static CD-BFS-NORTH Fortigate-IP
FW01/pri/act# show access-list | i CD-BFS-NORTH
access-list OUTSIDE_INGRESS line 27 extended permit object-group DM_INLINE_SERVICE_11 any object CD-BFS-NORTH log informational interval 300 (hitcnt=0) 0x070a3eba
CD-24LH-FW01/pri/act# packet-tracer input ouTSIDE icmp 92.239.10.100 8 0 80.10.10.51
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 80.10.10.48 255.255.255.248 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group OUTSIDE_INGRESS in interface OUTSIDE
access-list OUTSIDE_INGRESS extended deny ip any any
Additional Information:
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
its looks like that translation happening in one direction, not sure why
05-31-2020 07:05 AM
What protocols are you allowing in your ACL?
sh run object-group id DM_INLINE_SERVICE_11
05-31-2020 07:15 AM
ICMP, HTTP, HTTPS
FW01/pri/act# sh run object-group id DM_INLINE_SERVICE_11
object-group service DM_INLINE_SERVICE_11
service-object icmp
service-object tcp-udp destination eq www
service-object tcp destination eq https
06-01-2020 04:25 AM
sorted,
just re-added the NAT statement at the top of the all NAT rules and its worked.
1 (OUTSIDE) to (any) source static any any destination static Fortigate-IP CD-BFS-NORTHW
thanks all for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide