Hi guys
Need your help, we have an existing IPsec VPN tunnels (cisco) between our main office and our branches (hub and spokes) Several days ago we acquired a new FortiGate 301E. Initially, we would like to just forward a web traffic through it. With the main office, I achieve this without problems both devices are in the same subnet. But I could not do the same with branches despite the fact that I forwarded all web traffic to a FortiGate local IP address.
Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?
I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...
ede_pfau wrote:Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?
I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...
Vigorus wrote:Ede, any idea?ede_pfau wrote:Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.
Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.
Unfortunately, no, not from far away. You could sniff the traffic (diag sniffer packet ...) and/or trace it (diag debug flow ...) to see what happens. This would be a bit of an overkill for a forum post...
ede_pfau, thank you for your time. Guys, can anyone help me?
Maybe someone (professional) is near you. Where are you located? I'm in Southern Germany but there are really apt partners nearly all over the globe.
(who sold you the FGT?)
Ede_Pfau, thx for the advice, appreciate that I will try to communicate with our apt partner. Sorry for so late respond.
You're welcome. Debugging this is best done live and with some experience.
I'm still confident it'll work in the end.
I hope so, thanks.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 704 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.