Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Navs
New Contributor

Policy route query

Hi

 

I have a query regarding policy routes.  We have a customer whose network is connected to our firewall as in the diagram.  Their network overlaps with our own internal network subnets. In order to support our customer, we need to jump onto some servers on their network, say 10.40.1.10.  We are using a RDP jump box, located in our DMZ, to jump across onto the customer network. The problem is that if we try and connect to 10.40.1.10 the firewall static route sends us out our internal interface instead of the customer interface. BTW we have devices on 10.40.1.0/24 in our network too but the RDP server doesn’t need to connect to them.

 

I am thinking about using policy routing to get around this issue on the FortiGate 100E. IS that something I can do, will the policy rule overrule the static route? am I on the right track or will I need to use NAT?

2 Solutions
isamt
Contributor

Yes a policy route does override the routing table so would do what you want.

 

under Network | policy route

click create new

protocol: any

incoming interface: DMZ

source address: 172.18.26.24/255.255.255.255

destination address: 10.40.1.10/255.255.255.255 (or select address objects)

 

Action: forward traffic

Outgoing interface: Customer

Gateway address: 10.40.1.1

Enable: yes

 

You will also need to add a firewall policy to allow the traffic

from DMZ to Customer

 

Source                       Destination                 Service           NAT

172.18.26.24              10.40.1.10                 RDP                No

 

If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.

View solution in original post

emnoc
Esteemed Contributor III

Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

3 REPLIES 3
isamt
Contributor

Yes a policy route does override the routing table so would do what you want.

 

under Network | policy route

click create new

protocol: any

incoming interface: DMZ

source address: 172.18.26.24/255.255.255.255

destination address: 10.40.1.10/255.255.255.255 (or select address objects)

 

Action: forward traffic

Outgoing interface: Customer

Gateway address: 10.40.1.1

Enable: yes

 

You will also need to add a firewall policy to allow the traffic

from DMZ to Customer

 

Source                       Destination                 Service           NAT

172.18.26.24              10.40.1.10                 RDP                No

 

If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.

emnoc
Esteemed Contributor III

Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

Navs
New Contributor

Hi, thanks for that and the PBR example.