Port Forwarding through an IPSEC tunnel to a remote server/pc with Fortinet

Posted on March 1, 2012

Typically this situation should never happen, you can always forward ports through at the other side. Right? As all you IT guys know, 3rd party software and complex networks will ask for some weird deployment tasks. This demonstration assumes you already have an existing Interface based IPSEC tunnel running between 2 fortinet appliances and they are talking like best friends. I've tested this on 4.0 MR3 P5, I would suggest you use the same or current.

SiteA
Fortinet A

--- WAN1: 55.55.55.20
--- Int1: 10.20.1.1
--- Port 36008 should be forwarded to 10.10.1.17 in Site B

SiteB
Fortinet B

--- WAN1: 66.66.66.60
--- Int1: 10.10.1.1
--- Server on 10.10.1.17 with port 36008 open and ready

IPSEC Interface Name: IPSEC-YKN1-SPG1

The idea ... when anyone on the internet connects to 55.55.55.20 on port 36008, they will be redirected up through the IPSEC tunnel and to the remote server.  Let's get started!

1) FortinetA - Create a port-forwarding rule just like any other

 

2) Fortinet A - Create a firewall policy to allow the internet traffic in on WAN1 and out the IPSEC Interface to your port forwarding rule (remote server)

Do not forget to enable NAT!!!

3) Fortinet B - Create a reverse route to manage the WAN1 interace on Fortinet A

Without this, the fortinet will drop the incoming packets when it does a reverse path check.

"id=36871 trace_id=188 func=ip_route_input_slow line=1268 msg="reverse path check fail, drop"

I recommend you set the distance to 1 so that it takes priority, you should decide depending on your other routes.

Instead of using the /24, you could use the gateway the WAN1 port of the Fortinet A is using. For this demonstration to help keep your sanity, we've left it at the full subnet.

4) Test it out! 

The best method to test this is to telnet to port 36008 from an EXTERNAL location to 55.55.55.20.
You can do this with any operating system.

Telnet 55.55.55.20 36008

If it connects to your service, you're good to go!

If you're having issues, I suggest changing the forwarding port to a port that you know is open on the server. Try using telnet from the inside of your network to verify the port is open, and then test externally.

Common server ports are 21, 22, 80, 110, 143, 3389

Check which ports are open on your server, head back to Step 1) and use this port instead.
Once you have it routing through to that port correctly, change it to the actual port you need.