Allow One IP to Remotely Browse through Site-to-Site

dholton912 · ‎01-07-2024

Hey everyone!

I have a site-to-site VPN between two locations. Is there a way I can pass only one IP address through for remote browsing. For example, I have a subnet of 10.0.0.0/24 on FW A that can access all internal resources on FW B (example subnet of 10.1.1.0/24). I have one workstation (10.0.0.50) on FW A that would need to access the internet through FW B. The rest of the network would still access the internet through FW A. I tried using this KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p... but am unable to get what I need to work. Any help with this would be greatly appreciated!

hbac · ‎01-08-2024

@dholton912,

I believe your default route is pointing to wan2 which is why it doesn't match the policy route. You will need another static route and point it to the IPSec tunnel. You can create a static route for 8.8.8.8 for testing and point it to the IPSec tunnel. After that, run the debug flow again.

Regards,

View solution in original post

mle2802 · ‎01-08-2024

What is your version?

dholton912 · ‎01-08-2024

5.2.1 build 618

mle2802 · ‎01-08-2024

I would suggest to update to later version as this could be a bug and 5.2 version is no longer supported.

dholton912 · ‎01-08-2024

What version can I update to without losing current configs on the FW?

mle2802 · ‎01-08-2024

What is your device model?

dholton912 · ‎01-08-2024

FortiWifi 60D. Also the other firewall is a 60D with version 6.0.13.

dholton912 · ‎01-08-2024

Just updated the FW firmware and changed destination to all.

mle2802 · ‎01-08-2024

After that, can you try to ping and run debug flow?

dholton912 · ‎01-08-2024

2024-01-08

mle2802 · ‎01-08-2024

Is your ipsec tunnel up?