Good evening all,
I have a configuration that I am not sure why it does not work.
This is Fortios 6.2.2
I attached the topology.
Static route on FTG is
10.10.1.0/24 to 10.10.1.254
10.10.101.0/24 to 10.10.1.254
10.10.102.0/24 to 10.10.1.254
VLAN90 - 10.10.1.1/24 with default gateway 10.10.1.254
ping from Cisco 3750 switch to SVI interface of VLAN 101, has ping reply
ping from Cisco 3750 switch to FTG - 10.10.1.1, has ping reply
ping from PC1 to PC2, has ping reply
ping from PC2 to PC1, has ping reply
ping to 10.10.1.254 has ping reply
ping from PC2 to 10.10.1.1(FTG internal interface), has no reply
Ping from PC2 to WAN1 also has no reply
It seems the out going routing from different VLAN from VLAN90 will not be able to reach the internal FTG or external FTG WAN interface.
Do you know why it does not be able to ping? I cannot ping 8.8.8.8 as well.
PS: the ping has enabled on the interface.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Why is the default GW at the FGT toward Cisco while the internet circuit is terminated at the FGT?
Also PC2 in the attached pic is shown to be on VLAN101 (10.10.101.123). If the Cisco 3750 is connected to a internal port on the fgt, I assume vlan sub interfaces are also configured under that interface In (on the fgt) or I am missing something?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
The interface between the Fortigate and the access switch needs to be a trunk unless you are routing on the access switch (which you are not since the IP subnet appears on multiple interfaces). That trunk will pass traffic on all attached VLANs between the switch and the Fortigate. You would then set up policies on the Fortigate allowing what you need. Alternatively, you could add another access port between the switch and the Fortigate with VLAN 101 passing across it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I think Dom5 meant to use (keep) 3750 as a router/switch (L3 mode). That's why those static routes (first one is not necessary though) are place at the FGT.
It seems the route from VLAN 90 to VLAN 101 is only on the Cisco 3750. I am wondering what the default route is configured on PC2 (on VLAN 101)?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Is the Cisco routing?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I want to keep the intervlan on 3750 switch as this is the core switch and we want to use Fortigate as a Firewall only.
So the internal routing is happening on the core switch. It is configure as ip routing which then can route between the vlan interfaces.
Hi Dave,
I have configured vlan interfaces on the switch which I want to remain the vlan interfaces there.
VLAN 90
interface vlan 90
ip address 10.10.1.254 255.255.255.0
VLAN101
interface vlan 101
ip address 10.10.101.254 255.255.255.0
So on PC2 (101) - I can ping to those two interfaces as I set the default gateway as 10.10.101.254. As I can ping to PC1 which on VLAN90 as the internal interface of Fortigate is reply the ping. However, I cannot ping the internal interface of Fortigate from PC2.
Therefore, I am not sure where is the mistake that I have done to not make it work.
Hi toshiesumi,
I set the default gateway for the external is
0.0.0.0 to wan1.
From the switch, I can ping 8.8.8.8.
When I put the client behind the switch, I cannot ping the external. So I started the investigation. I found that the pinging stop after the switch which has multiple VLANs.
From the Fortigate, I can ping the external network as well such as 8.8.8.8
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.