Skip to main content
Navs
Navs
New Member
January 29, 2020
Solved

Policy route query

  • January 29, 2020
  • 1 reply
  • 5387 views

Hi

 

I have a query regarding policy routes.  We have a customer whose network is connected to our firewall as in the diagram.  Their network overlaps with our own internal network subnets. In order to support our customer, we need to jump onto some servers on their network, say 10.40.1.10.  We are using a RDP jump box, located in our DMZ, to jump across onto the customer network. The problem is that if we try and connect to 10.40.1.10 the firewall static route sends us out our internal interface instead of the customer interface. BTW we have devices on 10.40.1.0/24 in our network too but the RDP server doesn’t need to connect to them.

 

I am thinking about using policy routing to get around this issue on the FortiGate 100E. IS that something I can do, will the policy rule overrule the static route? am I on the right track or will I need to use NAT?

    Best answer by isamt

    Yes a policy route does override the routing table so would do what you want.

     

    under Network | policy route

    click create new

    protocol: any

    incoming interface: DMZ

    source address: 172.18.26.24/255.255.255.255

    destination address: 10.40.1.10/255.255.255.255 (or select address objects)

     

    Action: forward traffic

    Outgoing interface: Customer

    Gateway address: 10.40.1.1

    Enable: yes

     

    You will also need to add a firewall policy to allow the traffic

    from DMZ to Customer

     

    Source                       Destination                 Service           NAT

    172.18.26.24              10.40.1.10                 RDP                No

     

    If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.

    1 reply

    isamt
    isamtAnswer
    New Member
    January 29, 2020

    Yes a policy route does override the routing table so would do what you want.

     

    under Network | policy route

    click create new

    protocol: any

    incoming interface: DMZ

    source address: 172.18.26.24/255.255.255.255

    destination address: 10.40.1.10/255.255.255.255 (or select address objects)

     

    Action: forward traffic

    Outgoing interface: Customer

    Gateway address: 10.40.1.1

    Enable: yes

     

    You will also need to add a firewall policy to allow the traffic

    from DMZ to Customer

     

    Source                       Destination                 Service           NAT

    172.18.26.24              10.40.1.10                 RDP                No

     

    If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.

    emnoc
    emnoc
    New Member
    January 29, 2020

    Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.

     

    Ken Felix

     

    Terms & ConditionsAccessibility statement