Fortinet Client to Fortigate 50 OS 2.50

mas1971 · ‎04-27-2005

Hello guys, iam new and comming out from germany. so, i am very sorry for my bad english. but i hope i can explain, what my problem is. (and sure i hope you can help me) we have got a smal soho office. i just want to access my server (windows 2003 sbs) with may laptop over internet, by vpn connection, to adminitrate or got some files... i installed fortinetclient 1.2.204 and i am running fortinet os 2.50 MR9 buil 269, (newer version wont run.) (And i know, fortigate 50 was just changed to fortigate 50a about 4 weeks later we buy it, but there was no upgrade possible (by paying the different, sure) i can connet to fortigate by agressive mode. so long. i can access to fortigate and configure it over vpn. very good. i can ping to fortigate. but thats all. i cannot ping to my server, or other clients (Yes the soho office runs very well with some w2k clients and w2k3 server and fortigate firewall) the fortigate ip is 192.168.100.99. (with subnet 255.255.255.0) the sever ist 192.168.100.1 Server runs dhcp, dns, and so on. i have configured the forticlient to connect to remote networt 192.168.100.0 at subnet 255.255.255.0 and give a manuel ip to fortinet client at 192.168.102.1 because my home network ist 192.1681.101.0 here is the ipconfig /all message C:\Dokumente und Einstellungen\mas>ipconfig /all Windows-IP-Konfiguration Hostname. . . . . . . . . . . . . : TP1800_MAS PrimÃ¤res DNS-Suffix . . . . . . . : Knotentyp . . . . . . . . . . . . : Hybrid IP-Routing aktiviert. . . . . . . : Nein WINS-Proxy aktiviert. . . . . . . : Nein DNS-Suffixsuchliste . . . . . . . : headquarter.abakus-fiscal.de home.abakus-fiscal.de Ethernetadapter LAN-Verbindung: Verbindungsspezifisches DNS-Suffix: home.abakus-fiscal.de Beschreibung. . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti on Physikalische Adresse . . . . . . : 00-02-8A-2B-9A-52 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja IP-Adresse. . . . . . . . . . . . : 192.168.101.40 Subnetzmaske. . . . . . . . . . . : 255.255.255.0 Standardgateway . . . . . . . . . : 192.168.101.98 DHCP-Server . . . . . . . . . . . : 192.168.101.98 DNS-Server. . . . . . . . . . . . : 192.168.101.98 Lease erhalten. . . . . . . . . . : Mittwoch, 27. April 2005 18:55:12 Lease lÃ¤uft ab. . . . . . . . . . : Donnerstag, 28. April 2005 03:15:12 Ethernetadapter {E58825C1-2E6A-40E6-ACEF-45CC476CC2FF}: Verbindungsspezifisches DNS-Suffix: headquarter.abakus-fiscal.de Beschreibung. . . . . . . . . . . : Fortinet virtual adapter - Paketplan er-Miniport Physikalische Adresse . . . . . . : 00-09-0F-FE-00-01 DHCP aktiviert. . . . . . . . . . : Ja Autokonfiguration aktiviert . . . : Ja IP-Adresse. . . . . . . . . . . . : 192.168.102.1 Subnetzmaske. . . . . . . . . . . : 255.255.255.0 Standardgateway . . . . . . . . . : DHCP-Server . . . . . . . . . . . : 192.168.102.2 DNS-Server. . . . . . . . . . . . : 192.168.100.1 PrimÃ¤rer WINS-Server. . . . . . . : 192.168.100.1 Lease erhalten. . . . . . . . . . : Mittwoch, 27. April 2005 21:20:01 Lease lÃ¤uft ab. . . . . . . . . . : Dienstag, 19. Januar 2038 05:14:07 whats going wrong? why i cannot connect to the server? (or ping to it) Policy is set to: Source internet_all Destination external_all Schedule always Service any Action encrypt NAT Dynamic IP Pool Fixed Port VPN Tunnel (yes its the right one) Allow inbound (yes) Inbound NAT (no) Allow outbound (yes) Outbound NAT (no) Traffic Shaping (no) Guaranteed Bandwidth (KBytes/s) Maximum Bandwidth (KBytes/s) Traffic Priority Authentication (no) Anti-Virus & Web filter (no) Content Profile Log Traffic (no) Comments: maximum 63 characters Thank you very much! Martin

Best wishes out of Germany

Report Inappropriate Content · ‎04-27-2005

Yes inbound nat to yes, Eric

mas1971 · ‎04-28-2005

Hi Eric thanks. this helps a lot. (but why is it not explaind in helpfile?) now i can connect to http server running on my server and remotedekstop works too. Thats fine dns is working. its fine. outlook can connect to exchange server. very good But ping still does not work. And drive maping or windows client connect does not work. (if i open explorer and type in the name or ip of server ig. \\192.168.100.1 there is an error comming up) so something still goes wrong. any idea? Thank you. and there is another thing. if i change encypt to AES 256 , it works, but it is very slowly. is this not possible with FTG 50?

Best wishes out of Germany

Report Inappropriate Content · ‎04-28-2005

I have to check about the ping not working, perhaps do a search here in the forum, remind to set the date range larger than a month. I can imagine that a FG50 has slow AES256 performance, I have no experience with this model but I understand that it was replaced as the specs weren' t good enough (max 10 users). The 50A is about the same model with a faster CPU and more memory. So you better stick to AES128. Regards, Eric

mas1971 · ‎05-04-2005

i upgrade to Forticlient Version 1.60.140, but same problem. After a while I disable the firewall. After that every thing works fine. So the problem was netbios rule in the firewall. After configure a new rule in the advance settings ervery thing works fine, and this after enable the firewall. Thank you very much. Bye Martin

Best wishes out of Germany

vanc · ‎05-04-2005

Martin, You don' t need to configure the advance rules on the personal firewall, just add your internal servers to trusted zone. You can add a subnet. That' s maybe the simpler.

mas1971 · ‎05-05-2005

Hi Vanc, yes this works too, thanks for that. Bye Martin

Best wishes out of Germany