Skip to main content
rohitchoudhary1978
rohitchoudhary1978
Visitor III
September 25, 2019
Solved

NAT and Routing related

  • September 25, 2019
  • 3 replies
  • 15701 views

Hi,

Pfa an elaborated network diagram. Firewall FGT100D at Site 2 act as a router only. FGT600c at Site 1 Headoffice side has been used for firewall permissions with different policies created for Site_2. Now the issue is with the routing that when we use NAT at Site_2 it won't show desktops local lan IP at Site_1 firewall FGT600c, it just shows the wan side ip i.e., 17.17.17.2 or 18.18.18.2 of the Site_2 Firewall and the IP based policy won't work. Disabling NAT doesn't let internet work on desktops but it shows connectivity at Site_2 Firewalls terminal window and can ping gmail.com/yahoo etc.

Please help.

*SDWAN is enabled at Site_2 and P2P lease lines act as 2 wan connections.

*D235 mentioned in diagram is equivalent to Site_2

 

Regards

Rohit K

Best answer by sw2090

You will need to diffe traffic by policy probably:

 

one policy to allow traffc from subnet on site 2 to subnet on site 1 without NAT

one policy to allow traffic to any subnet from subnet on site 2 with dstintf site 1 and NAT enabled

 

they must be in this order.

And you need static routes for site 1 at site 2 and vice versa.

3 replies

rohitchoudhary1978
rohitchoudhary1978Author
Visitor III
September 25, 2019

Hi, One more update.

While after disabling NAT at Site_2 i checked firewall terminal that i can able to ping gmail.com or any other destination but not able to access internet at desktop.

 

Rgds

Rohit

rwpatterson
rwpatterson
New Member
September 25, 2019

Why don't you just NAT on the second Internet facing firewall? Same policy as on the first, but move it to the unit where it does the most good.

ede_pfau
SuperUser
ede_pfau
SuperUser
September 25, 2019

"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

 

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.

NAT is not a solution, it's a cludge. Never NAT if you really have to route.

 

Put a static route on FGT1

192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)

and on FGT2

192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

 

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).

I hope this makes sense to you.

You might post the current routing tables if you think routing is already in place.

rohitchoudhary1978
rohitchoudhary1978Author
Visitor III
September 26, 2019

ede_pfau wrote:

"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

 

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.

NAT is not a solution, it's a cludge. Never NAT if you really have to route.

 

Put a static route on FGT1

192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)

and on FGT2

192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

 

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).

I hope this makes sense to you.

You might post the current routing tables if you think routing is already in place.

Hi,

Thanks for the reply. I'll try to do static routing now and let you know if it works.

 

Rgds

Rohit

ageric
ageric
New Member
September 25, 2019

18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.

 

If that's the case, then no, you won't be able to tell which machine is which on the other side.

 

To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.

rohitchoudhary1978
rohitchoudhary1978Author
Visitor III
September 26, 2019

ageric wrote:

18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.

 

If that's the case, then no, you won't be able to tell which machine is which on the other side.

 

To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.

Hi,

Hmm .. ipsec tunnel is a good idea as well.. but still stuck at permissions i  have to set at site_1 firewall for site_2 users... I think it can be done with some effort

 

Thanks

Rohit

emnoc
emnoc
New Member
September 26, 2019

If those 2 lines are lease lines just enable routing.No ned for sdwan just ecmp.

 

site2

 

config router static

 

  edit 1

        set dst 0.0.0.0/0

        set dev wan(xxx)

        set gateway 17.17.17.1

   next

  edit 2

        set dst 0.0.0.0/0

        set dev wan(xxx)

        set gateway 18.18.18.1

   next

 

 

site 1

 

config router static

 

  edit 1

        set dst 192.168.1.0/24

        set dev wan(xxx)

        set gateway 17.17.17.2

   next

  edit 2

        set dst 192.168.1.0/24

        set dev wan(xxx)

        set gateway 18.18.18.2

   next

 

Terms & ConditionsAccessibility statement