- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow One IP to Remotely Browse through Site-to-Site
Hey everyone!
I have a site-to-site VPN between two locations. Is there a way I can pass only one IP address through for remote browsing. For example, I have a subnet of 10.0.0.0/24 on FW A that can access all internal resources on FW B (example subnet of 10.1.1.0/24). I have one workstation (10.0.0.50) on FW A that would need to access the internet through FW B. The rest of the network would still access the internet through FW A. I tried using this KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p... but am unable to get what I need to work. Any help with this would be greatly appreciated!
Solved! Go to Solution.
- Labels:
-
FortiGate
-
FortiGate v5.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe your default route is pointing to wan2 which is why it doesn't match the policy route. You will need another static route and point it to the IPSec tunnel. You can create a static route for 8.8.8.8 for testing and point it to the IPSec tunnel. After that, run the debug flow again.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dholton912,
Can you try to run the following command on both FortiGate when ping 8.8.8.8 from 10.0.0.50:
diag sniffer packet any "host 10.0.0.50 and icmp" 4 0 l
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On FW B I get no responses as if the traffic never makes it there. On FW A I get continual 2024-01-08 10:55:34.243037 interface in 10.0.0.50 -> 8.8.8.8: icmp: echo request
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run this on FWA when pinging again
diag debug reset
diag debug flow filter addr 10.0.0.50
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do I run these one at a time or copy the whole and paste into the CLI?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can copy the whole thing and paste in CLI, press enter and run the ping. After the ping complete, copy result and close the CLI
Created on 01-08-2024 08:14 AM Edited on 01-11-2024 08:38 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2024-01-08
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look like there is traffic is still using wan2. Can you please run the command:
config router policy
show full
Created on 01-08-2024 08:26 AM Edited on 01-11-2024 08:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config router policy
edit 1
next
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Created on 01-08-2024 08:38 AM Edited on 01-11-2024 08:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I'm on an older firmware and this is my options in the GUI.
