Hi,
I'm trying to understand how to replace an Cisco ASA with a Fortigate 100D running 5.0. Our core swtiches route all 169.212.x.x traffic to the 169.212.1.1 interface on an ASA via a trunk allowing vlan 212 traffic.
169.212.1.1 is the gateway for all 169.212.x.x devices.
The Cisco route and interface are defined as follows:
ip route 169.212.0.0 255.255.0.0 169.212.1.1
interface GigabitEthernet0/42
description Trunk to ASA
switchport trunk encapsulation dot1q
switchport trunk allow vlan 212
switchport mode trunk
Is this the correct way to setup the interfaces on the 100D for so it can become the gateway for 169.212.0.0 traffic on vlan 212?
config system interface
edit "internal7"
set vdom "root"
set vlanforward enable
set type physical
set snmp-index 12
next
edit "VL212"
set vdom "root"
set ip 169.212.1.1 255.255.0.0
set allowaccess ping
set snmp-index 20
set interface "internal7"
set vlanid 212
next
end
How do I create a trunk on internal7 that will allow vlan 212 to come from the Cisco 0/42 interface?
ron
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Well, you just did. It's called "VL212".
IMHO it's not a 'trunk' as it carries just one VLAN but nevertheless it should work like it is.
Do you see traffic coming in? Going out?
Do you have a policy from "VL212" to "wan" to allow internet facing traffic? Or any other policy to reach other ports?
A trunk port can carry one or more vlan tags. What you could do is diag sniffer the vlan-subinterface or the cisco port but the cfgs you have looks good btw.
To confirm the switch side of things I would validate the fortigate layer2 interface is learned and in vlan212 for that fortigate
e.g
show mac address dyn int gi 0/42
should show a layer2 mac of a frortigate for vlan id 212 on gi 0/42. If that's good, than double check what Ede post on proper fw-policies.
Ken
PCNSE
NSE
StrongSwan
I made a mistake in typing the address above...we route to the physical lan interface (169.210.1.1) on the ASA, then flow traffic to the 169.212 network via rules. The ASA has another physical 169.212.1.1 interface trunked back to a Cisco switch which distributes the 169.212 traffic to servers on vlan tagged interfaces.
So I should have typed...
Our core swtiches route all 169.212.x.x traffic to the 169.210.1.1 (lan) interface on an ASA via a trunk allowing all vlan traffic.
169.212.1.1 is the gateway for all 169.212.x.x devices, that sits on the ASA. The Cisco route and interface are defined as follows: ip route 169.212.0.0 255.255.0.0 169.210.1.1
So in an attempt to mimic the ASA with the fortigate I did the following...
on the Fortigate
config system interface edit "internal7" set vdom "root" set vlanforward enable set type physical set snmp-index 12 next edit "VL212" set vdom "root" set ip 169.212.1.1 255.255.0.0 set allowaccess ping set snmp-index 20 set interface "internal7" set vlanid 212 next
edit "internal1" set vdom "root" set type physical set snmp-index 20 next
edit "internal2" set vdom "root" set type physical set snmp-index 21 next
edit "lan" set vdom "root" set ip 169.210.10.200 255.255.0.0 set allowaccess ping https ssh telnet set vlanforward enable set type switch set sflow-sampler enable set sample-rate 512 set polling-interval 30 set device-identification enable set listen-forticlient-connection enable set snmp-index 27 next
end
config system switch-interface edit "lan" set vdom "root" set member "internal1" "internal2" next end
I connected the trunk port (the one that was going to the 169.210.1.1 on the ASA) to the lan interface on the fortigate (169.210.10.200). I can ping 169.210.10.200 from anywhere.
I defined a firewall object for the address range 169.212.0.0-169.212.255.255 (V212)
I setup policies on the fortigate to allow all traffic from lan to VL212 and VL212 to lan
I can only ping 169.212.1.1 from the CLI.
The Cisco sees the lan mac address of the Fortigate but cannot ping the 169.212.1.1
What am I missing?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.