Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dholton912
New Contributor

Allow One IP to Remotely Browse through Site-to-Site

Hey everyone!

 

I have a site-to-site VPN between two locations. Is there a way I can pass only one IP address through for remote browsing. For example, I have a subnet of 10.0.0.0/24 on FW A that can access all internal resources on FW B (example subnet of 10.1.1.0/24). I have one workstation (10.0.0.50) on FW A that would need to access the internet through FW B. The rest of the network would still access the internet through FW A. I tried using this KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p... but am unable to get what I need to work. Any help with this would be greatly appreciated!

1 Solution
hbac

@dholton912

 

I believe your default route is pointing to wan2 which is why it doesn't match the policy route. You will need another static route and point it to the IPSec tunnel. You can create a static route for 8.8.8.8 for testing and point it to the IPSec tunnel. After that, run the debug flow again. 

 

Regards, 

View solution in original post

52 REPLIES 52
dholton912

We have something new now. It is pinging but it is going out of it's FW instead of across the VPN.

 

mle2802

Still show that policy route is not matching, what is your current version?

dholton912

5.6 right now. I have firmware to be able to update to 6.0.13

mle2802

Can you try 6.0.13, and use the diag ip proute to see if policy route matching. Here is the document https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verify-the-matching-policy-route/ta-p/1906...

dholton912

Can I update directly from 5.6 to 6.0.13 or do I need to stair step?

hbac

@dholton912

 

I believe your default route is pointing to wan2 which is why it doesn't match the policy route. You will need another static route and point it to the IPSec tunnel. You can create a static route for 8.8.8.8 for testing and point it to the IPSec tunnel. After that, run the debug flow again. 

 

Regards, 

mle2802

Please use this tool for upgrade path https://docs.fortinet.com/upgrade-tool

dholton912

So I added another static route as @hbac requested. I created on for 8.8.8.8/32 with the device as the S2S VPN distance of 10 priority 0. Ran the debug flow again and got this:

 

hbac

@dholton912,

 

The traffic is now going through the IPsec tunnel. You can run the same debug flow on FW B to see if it is being dropped or not. 

 

Regards, 

dholton912

Now what do I need to change my static route to to ensure that all internet traffic from 10.0.0.50 goes through FW B and the other devices on FW A use it for internet?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors