Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mapapo
New Contributor

Access / routing from Wan1 to Wan2

Hi, me again, A second interesting problem.We have to external Connections over different ISPs. Our Webserver uses WAN1 for incoming traffic. Our Users use WAN2 for Web-Surfing. Everything works fine but If users want to reach our Webserver it doesnt work, It seems that the " Internal Routing" for the outgoing connection on WAN2 to WAN1 somehow fails. Is there a policy I have to add for that case, or a route ? I am using MR06 Many thanks
27 REPLIES 27
ejhardin

Are you using AD? Are you using the same AD domain address as your website?
mapapo

ORIGINAL: ejhardin Are you using AD? Are you using the same AD domain address as your website?
No, not the same, though: My domain-users are in a domain like domain.intern and of course reveive Mails as domain.com. The Webserver is something like domain.com. Could this make a problem ?
ejhardin

On you internal DNS servers make a new zone for the web server’s public domain. So if your internal domain is example.local and your website is www.example.com then create a zone called example.com and create a “A” recorded “www” and point it to your web servers private IP (like 172.32.100.80). So your internal network is a private IP of 192.168.100.x and the DMZ is 172.32.x.x. Create a firewall rule from internal to the DMZ for service HTTP. When an internal user requests the web page your DNS server will tell the firewall that it needs to go to the DMZ, 172.32.100.80. This is an internal split DNS.
mapapo

The DNS-Things is quite clear to me. But it still doesnt explain why a policy with AD-Authentification does not allow the traffic to get through whereas the sam policy without authentification works. ther must be something in there ?
ejhardin

Explain a little more... What is the policy and where is it failing?
mapapo

Its quite simple (I am testing the AD-Authentification at the moment) Scenario without Authentification: Policy internal-Wan all any accept with nat I can surf to the outside world and can reach my internal server Scenario with authentification Same policy, but with my usergroup. I can reach the outside world but not the internal server Policy is the last one, no other policies before are suitable so that policy is triggered.
ejhardin

Internal server meaning the web server?
UkWizard
New Contributor

ejhardin - You are correct, we all just presumed its in the DMZ. As thats where it should be. As only an fool would put a external facing server on their inside network. Its a fair comment though, and does explain some of the confusion...
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors