Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Not applicable

Created on ‎11-10-2015 09:22 AM

Deep VIP

I have an interesting issue coming up in another day or two. We have a FG on site at a client that is adding a P2P to our data center partner which will ultimately become their only Internet circuit. Right now there is a VIP on the client's FG to a voice server. I'll need to make a replacement VIP from our FG which will be a couple of hops away through the client FG.

Ext.IP - FG - VDOM Link - VDOM - VLAN Interface - P2P circuit - FG - Int.IP

As long as we have routing working all the way through, is there any reason we shouldn't be able to do this VIP?

Norris Carden, CISSP, CISA | Sr. Security Engineer | Arnett Group
920.261.2037  x115
Labels:
369
0 Kudos
2 REPLIES 2
mnantel_FTNT
Staff
Staff

Created on ‎11-10-2015 02:29 PM

Hi Norris,

That should not pose an issue - so long as all hops can route from the left most FG to the right most FG (and all are aware of the INT IP from a routing standpoint). Having the NAT occur on the left most FG unit will work, with the caveat that again, you need to ensure that those subnets are known across your whole set of hops.

HTH,

Mat

--

Mathieu Nantel - NSE4, CCIE 24349

Principal System Engineer / Consultant Technique Senior, Office of the CTO

-- Mathieu Nantel Systems Engineer / Conseiller Technique - Fortinet Montreal, QC

362
0 Kudos
Kurt_Knochner_FTNT
Staff
Staff

Created on ‎12-16-2015 02:03 PM

Hi Norris,

>As long as we have routing working all the way through, is there
>any reason we shouldn't be able to do this VIP?

As long as "have routing working" includes the proper routes back to your ext. FG then yes . However if the internal FG has a default route somewhere else into the P2P network it would route the answer packets (SYN-ACK) somewhere, but not back to your ext. FG. In that case, you could do Source NAT on the ext. FG to "force" the packets back to itself, while asuming that there is a proper route back to the internal IP of the ext. FG in the whole internal network (including the P2P part).

Regards
Kurt

Kurt Knochner  |  Senior Systems Engineer  |  Carrier Team Germany
Phone:  +49 163 737 8484  |  email: kknochner@fortinet.com  |  skype: kkn_fortinet

362
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.