Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ksibhai
New Contributor

INTER-BRACH CONNECTIVITY

Dear All,

 

Please note that we are having firewall in our office and two branches at different locations. it was connecting through internal IP route without firewall. but since we have installed FortiGate 60E firewall, the communication between branches are not working.

 

The following are the setup.

 

The firewall connected interface with public Ip in WAN1 : 10.10.100.100/255.255.255.248

 

port 0 internal 192.168.10.1/24

 

Branch 1: 192.168.101.1/24

Branch 2: 192.168.102.1/24

 

I have configured the static route between branches as following 192.168.12.1/24 WAN1 gateway 10.10.100.1

 

i am not able to ping any of the branch subnets

 

can anyone help?

5 REPLIES 5
Debbie_FTNT
Staff
Staff

Hey ksibhai,

where does the 192.168.12.1/24 subnet come from? That is not the local subnet of your HQ (192.168.10.1/24) nor your branches (192.168.101.1/24 and 192.168.102.1/24).

As for the routing:

-> on the HQ you need a route to 192.168.101.0/24 and 192.168.102.0/24 via its gateway (10.10.100.100?)

-> on the branch offices, you need routes to 192.168.10.0/24 via their gateways

-> with that routing in place (and provided your network can route the requests) your FortiGates should be able to ping each other
-> for the 192.168.x.x subnets to ping each other, you would also need policies on each FortiGate in both directions, to allow inbound and outbound traffic

 

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ksibhai

Hi Debbi

 

Thanks for the response.

 

The branch is having following subnets of 192.168.101.1/24 and 192.168.102.1/24.

The HO internal subnet is 192.168.10.1/24

 

The fortiget is connected to WAN2 with public IP 10.10.100.100

 

The router gateway 10.10.100.1

 

I have created two static routes in fortigate for the branches as specified below,

 

192.168.101.0/24 with WAN2 interface and assigned gateway 10.10.100.1

 

192.168.102.0/24 with WAN2 interface and assigned gateway 10.10.100.1

 

The above both the branches are having NAT enabled. so we can communicate with HO internal subnet 192.168.10.0/24 from branches and vice versa without firewall. but with firewall unable to communicate.

 

NOTE: The firewall will communicate directly with branch router only.

 

hence, i would seek your assistance in configuring the same. if possible can you please post the firewall configuration.

 

Thank you so much

ksibhai

One more thing forget to add here is the HO internal subnet is 192.168.10.0/24

 

Debbie_FTNT

Hey ksibhai,

as mentioned above, all you would need on the FortiGates are policies to allow the traffic in both directions.

-> go to Policy & Objects

-> go to IPv4 Policies

-> 'Create New'

-> set the correct source and destination interface and action accept, and either set source/destination address 'All' or specify the according subnets

-> do this for both directions

-> set NAT as necessary; this depends on your network design and what subnets do/don't get routed

With that, IF FortiGate receives traffic for the HO subnet, it should allow it through.

It should also allow traffic from HO subnet out.

 

Please consider:

- can FortiGate ping its gateway 10.10.100.1?

- can FortiGate ping the branch gateways?

- can the branches ping the FortiGate interface 10.10.100.100?

-> you might need to allow ping on the interface for this

- can the branches ping HO subnet? (this would require the policies I mentioned above)

If the answers are no, then you are looking at some kind of network issue between the FortiGate and branch offices, and no policy configuration on the FortiGate can fix this.

 

If the FortiGate can reach the branch offices and vice-versa, then you would need to add the policies as I mentioned above.

Please take into consideration:

- the HO subnet can't ping the branch offices, as those are behind NAT

- the routers between the branch office and FortiGate need to know the HO subnet to route the traffic to FortiGate

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ksibhai

Hi Debbie,

 

Hope you're doing well,

 

Sorry for the late reply as i was engaged in some other activities and due to the same could not check your answer.

 

I have tried with above suggession and could not getting succeed. 

 

As per your question for consideration.

- can FortiGate ping its gateway 10.10.100.1? Yes

- can FortiGate ping the branch gateways? No

- can the branches ping the FortiGate interface 10.10.100.100? YES

- can the branches ping HO subnet? No

 

I here posted the router both router configuration for your review

 

HQ Router:

 

interface Tunnel0
description **to-CubeMall**
ip address 10.10.10.1 255.255.255.252
tunnel source 172.50.55.154
tunnel destination 10.190.124.65
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.901
description WAN-Internet
encapsulation dot1Q 901
ip address 172.17.79.230 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0/0.902
description ***** DATA*****
encapsulation dot1Q 902
ip address 172.50.55.154 255.255.255.252
!
interface GigabitEthernet0/0/0.910
description ***** NON-HCS*****
encapsulation dot1Q 910
ip address 192.168.161.114 255.255.255.252
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.20
encapsulation dot1Q 20
ip address 10.10.100.13 255.255.255.248
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1.30
description COnencted_PBX
encapsulation dot1Q 30
ip address 10.255.255.1 255.255.255.252
!
interface GigabitEthernet0/0/2
description Conencted_PBX
no ip address
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 65277
bgp log-neighbor-changes
neighbor 172.50.55.153 remote-as 42961
neighbor 172.50.55.153 password 7 15282B252A1E190505031A
!
address-family ipv4
network 192.168.10.0
redistribute connected
neighbor 172.50.55.153 activate
neighbor 172.50.55.153 allowas-in
exit-address-family
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 172.12.28.0 255.255.255.224 172.50.55.153
ip route 192.168.102.0 255.255.255.0 Tunnel0

 

HQ Routing Table 

 

Gateway of last resort is 172.17.79.229 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 172.17.79.229
10.0.0.0/8 is variably subnetted, 7 subnets, 5 masks
C 10.10.10.0/30 is directly connected, Tunnel0
L 10.10.10.1/32 is directly connected, Tunnel0
C 10.255.255.0/30 is directly connected, GigabitEthernet0/0/1.30
L 10.255.255.1/32 is directly connected, GigabitEthernet0/0/1.30
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.10.100.100/29 is directly connected, GigabitEthernet0/0/1.20
L 10.10.100.101/32 is directly connected, GigabitEthernet0/0/1.20
L 10.10.100.102/32 is directly connected, GigabitEthernet0/0/1.20
172.17.0.0/16 is variably subnetted, 6 subnets, 2 masks
B 172.50.55.140/30 [20/0] via 172.50.55.153, 3w2d
C 172.50.55.152/30 is directly connected, GigabitEthernet0/0/0.902
L 172.50.55.154/32 is directly connected, GigabitEthernet0/0/0.902
C 172.17.79.228/30 is directly connected, GigabitEthernet0/0/0.901
L 172.17.79.230/32 is directly connected, GigabitEthernet0/0/0.901
B 172.17.79.232/30 [20/0] via 172.17.28.153, 3w2d
172.28.0.0/27 is subnetted, 1 subnets
S 172.28.12.0 [1/0] via 172.17.28.153
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, GigabitEthernet0/0/1.20
L 192.168.10.1/32 is directly connected, GigabitEthernet0/0/1.20
S 192.168.102.0/24 is directly connected, Tunnel0
192.168.161.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.161.112/30 is directly connected, GigabitEthernet0/0/0.910
L 192.168.161.114/32 is directly connected, GigabitEthernet0/0/0.910

 

 

Branch Router Config

 

ip dhcp pool LAN
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 212.43.18.22 95.66.18.22
option 150 ip 10.60.90.2
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid ISR4331/K9 sn FDO25030XA0
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.904
description ***** Internet*****
encapsulation dot1Q 904
ip address 172.17.79.242 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/0/0.905
description ***** DATA*****
encapsulation dot1Q 905
ip address 172.50.55.142 255.255.255.252
!
interface GigabitEthernet0/0/1
description LAN_Connection
ip address 192.168.101.1 255.255.255.0 secondary
ip address 10.10.100.105 255.255.255.252
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1.10
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 65277
bgp log-neighbor-changes
neighbor 172.50.55.141 remote-as 42961
neighbor 172.50.55.141 password 7 15282B252A1E190505031A
!
address-family ipv4
network 192.168.101.0
redistribute connected
neighbor 172.50.55.141 activate
neighbor 172.50.55.141 allowas-in
exit-address-family
!
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 172.17.79.242 name Zain_Internet
ip route 10.51.6.2 255.255.255.255 172.50.55.141
ip route 10.60.92.0 255.255.255.0 172.50.55.141
!
!
access-list 1 permit 192.168.101.0 0.0.0.255

 

Routing Table Branch

 


S* 0.0.0.0/0 [1/0] via 172.17.79.242
10.0.0.0/8 is variably subnetted, 5 subnets, 4 masks
B 10.10.10.0/30 [20/0] via 172.50.55.141, 3w4d
S 10.51.6.2/32 [1/0] via 172.50.55.141
S 10.60.92.0/24 [1/0] via 172.50.55.141
B 10.190.124.64/28 [20/0] via 172.50.55.141, 17:39:12
B 10.255.255.0/30 [20/0] via 172.50.55.141, 5d23h
10.0.0.0/29 is subnetted, 1 subnets
B 10.10.100.105 [20/0] via 172.50.55.141, 1w3d
172.17.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.50.55.140/30 is directly connected, GigabitEthernet0/0/0.905
L 172.50.55.142/32 is directly connected, GigabitEthernet0/0/0.905
B 172.50.55.152/30 [20/0] via 172.50.55.141, 7w0d
B 172.17.79.238/30 [20/0] via 172.50.55.141, 5w4d
C 172.17.79.242/30 is directly connected, GigabitEthernet0/0/0.904
L 172.17.79.234/32 is directly connected, GigabitEthernet0/0/0.904
192.168.161.0/30 is subnetted, 1 subnets
B 192.168.161.112 [20/0] via 172.50.55.141, 5w4d

 

I would like to request you to go through above configuration and suggest what are the changes required to do it from my end.

 

Thank you in advance,