Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dholton912
New Contributor

Created on ‎01-07-2024 10:24 AM

Allow One IP to Remotely Browse through Site-to-Site

Hey everyone!

 

I have a site-to-site VPN between two locations. Is there a way I can pass only one IP address through for remote browsing. For example, I have a subnet of 10.0.0.0/24 on FW A that can access all internal resources on FW B (example subnet of 10.1.1.0/24). I have one workstation (10.0.0.50) on FW A that would need to access the internet through FW B. The rest of the network would still access the internet through FW A. I tried using this KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p... but am unable to get what I need to work. Any help with this would be greatly appreciated!

Labels:
3024
0 Kudos
1 Solution
hbac
Staff
Staff
In response to dholton912

Created on ‎01-08-2024 12:52 PM

@dholton912

 

I believe your default route is pointing to wan2 which is why it doesn't match the policy route. You will need another static route and point it to the IPSec tunnel. You can create a static route for 8.8.8.8 for testing and point it to the IPSec tunnel. After that, run the debug flow again. 

 

Regards, 

View solution in original post

2560
52 REPLIES 52
mle2802
Staff
Staff
In response to dholton912

Created on ‎01-08-2024 07:52 AM

Hi @dholton912,

Can you try to run the following command on both FortiGate when ping 8.8.8.8 from 10.0.0.50:

diag sniffer packet any "host 10.0.0.50 and icmp" 4 0 l

497
0 Kudos
dholton912
New Contributor
In response to mle2802

Created on ‎01-08-2024 07:58 AM

On FW B I get no responses as if the traffic never makes it there. On FW A I get continual 2024-01-08 10:55:34.243037 interface in 10.0.0.50 -> 8.8.8.8: icmp: echo request

493
0 Kudos
mle2802
Staff
Staff
In response to dholton912

Created on ‎01-08-2024 08:00 AM

Can you run this on FWA when pinging again

diag debug reset

diag debug flow filter addr 10.0.0.50
diag debug flow filter proto 1
diag debug flow show ip en

diag debug flow show func en

diag debug console time ena

diag debug ena

diag debug flow trace start 999


490
0 Kudos
dholton912
New Contributor
In response to mle2802

Created on ‎01-08-2024 08:06 AM

Do I run these one at a time or copy the whole and paste into the CLI?

488
0 Kudos
mle2802
Staff
Staff
In response to dholton912

Created on ‎01-08-2024 08:09 AM

Yes, you can copy the whole thing and paste in CLI, press enter and run the ping. After the ping complete, copy result and close the CLI

486
0 Kudos
dholton912
New Contributor
In response to mle2802

Created on ‎01-08-2024 08:14 AM Edited on ‎01-11-2024 08:38 AM


2024-01-08

483
0 Kudos
mle2802
Staff
Staff
In response to dholton912

Created on ‎01-08-2024 08:23 AM

Look like there is traffic is still using wan2. Can you please run the command:

config router policy
show full

473
0 Kudos
dholton912
New Contributor
In response to mle2802

Created on ‎01-08-2024 08:26 AM Edited on ‎01-11-2024 08:39 AM

config router policy
edit 1

next
end

470
0 Kudos
mle2802
Staff
Staff
In response to dholton912

Created on ‎01-08-2024 08:33 AM

Hi @dholton912,

Instead of using 0.0.0.0, can you try to set the address as "all"

 

Capture.PNG

467
0 Kudos
dholton912
New Contributor
In response to mle2802

Created on ‎01-08-2024 08:38 AM Edited on ‎01-11-2024 08:39 AM

So I'm on an older firmware and this is my options in the GUI.

464
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.