Exercise 2 - Ingress (No SNAT)
Ingress Traffic flow from Jumpbox to WorkloadA (no SNAT)
This is an extension of Exercise 1
Info
The IP Address of the Ubuntu Host is 10.99.98.10
Success Requirement
- From your device (not the Jumphost) SSH to Workload A using
ssh -P <port> -i sshkey-aplab-ssh-priv.pem ubuntu@<clusterIP>
Use the port forward you configured - Run
ss -nat
on Workload A and confirm the source IP is the FortiGate. Look for ESTAB sessions
Warning
Either use port translation or change the FortiGate SSH listening listening address on Port1. Port translation is preferred
Danger
Multiple failed login attempts to the FortiGate SSH CLI will result in a 5+ minute lockout. AAny failed login should be carefully considered before attempting again. Ask yourself - Am I connecting to the FortiGate or to the Ubuntu host?
Tip
FortiGate offers powerful diagnostic tools. Try some of the following when connecting
diag sniffer packet any ‘tcp and port 22’ 4 0 1
diag sniffer packet any ‘tcp and port 2222’ 4 0 1
- if using a tcp port translation
diag sniffer packet any ‘host <ip>’ 4 0 1
- if you want to focus on a specific IP
Help I'm Lost!
- Just policy?