Configuring Hair-pinning on a FortiGate

Posted: August 19, 2018 in fortigate

Hair-pinning (NAT loopback) is the technique where a machine accesses another machine on the LAN via an external network.

Traffic goes through LAN interface to the Internet,traffic then goes back to the same interface,connecting to it’s External IP. Traffic is then forwarded by Fortigate through virtual IP to local destination.

In this example, windows machine on LAN network hosts web server.From LAN machines, it can only be accessed by internal IP. If trying accessing Web server by public  IP (from machines on local network, it will fail

1.PNG

Create Virtual IP which will map Public IP to local IP of Web Server

Policy & Objects-Create new-Virtual IP

External IP range:Public IP

Mapped address range:Web Server local IP

Enable port forwarding

External Service port:Port from which traffic will be mapped

Map to port:Port to which traffic will be mapped

In this case traffic from Public IP on port 80 will be forwarded to same port on internal address

2.PNG

 

Creating IPV4 policy

Incoming and outgoing Interface:LAN interface

Source:all

destination:Virtual IP created in previous step

NAT disabled

 

3.PNG

Now, from machines on LAN, web site should be accessible using Public IP

4.PNG

Advertisements
Comments
  1. Jaro says:

    Hello,

    If I am correct, you are missing “set match-vip enable” command in the HAIRPIN policy. This can be configured via CLI only.

    Like

  2. RBotha says:

    Hi, I have a webserver on a DMZ interface (with a different subnet, obviously) but this still doesn’t work. My setup is the same as yours, but in my policy, my outgoing interface is my DMZ VLAN port, since the server is not on my local lan. I still can’t hit said server… Any suggestions?

    Like

    • Jaro says:

      Hello RBotha,

      Could you please post all related configuration in this thread? VIP object configuration + policy.

      Thank you.

      Jaro

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s