Hi,
I have 2 Fortigate setup as below, and the issue as follows.
FW1 cannot ping anything on FW2. network, but FW2 can ping FW1's 10.11.30 and 10.11.40 network.
BGP is setup between the 2 and is working fine, with RouteMap and Prefix List, so traffic from 10.11.30.0 flows through port1 (192.168.9.181) and 10.11.40.0 through port2 (192.168.9.182), smae configuration is on FW2 for 10.21 network.
FW1
Routing table for VRF=0
C 10.11.30.0/24 is directly connected, VLAN30
C 10.11.40.0/24 is directly connected, VLAN40
B 10.21.30.0/24 [20/0] via 192.168.9.182 (recursive is directly connected, port1), 00:18:07, [1/0]
B 10.21.40.0/24 [20/0] via 192.168.10.182 (recursive is directly connected, port2), 00:17:40, [1/0]
C 192.168.9.0/24 is directly connected, port1
C 192.168.10.0/24 is directly connected, port2
FW2
Routing table for VRF=0
B 10.11.30.0/24 [20/0] via 192.168.9.181 (recursive is directly connected, port1), 00:18:47, [1/0]
B 10.11.40.0/24 [20/0] via 192.168.10.181 (recursive is directly connected, port2), 00:18:15, [1/0]
C 10.21.30.0/24 is directly connected, VLAN2130
C 10.21.40.0/24 is directly connected, VLAN2140
C 192.168.9.0/24 is directly connected, port1
C 192.168.10.0/24 is directly connected, port2
I ran sniffer on FW2 to capture the traffic and this is all no icmp reply
FW2 # diagnose sniffer packet any 'host 192.168.9.181' 4 0 1 interfaces=[any]
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.9.181]
pcap_snapshot: snaplen raised from 0 to 262144
0.696750 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
1.696916 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
2.697103 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
3.697244 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
4.696819 port1 in arp who-has 192.168.9.182 tell 192.168.9.181
4.696838 port1 out arp reply 192.168.9.182 is-at 00:0c:29:a3:9f:f6
25.959741 port1 in 192.168.9.181.10737 -> 192.168.9.182.179: psh 1515141430 ack 1109234650
25.959852 port1 out 192.168.9.182.179 -> 192.168.9.181.10737: ack 1515141449
26.637436 port1 out 192.168.9.182.179 -> 192.168.9.181.10737: psh 1109234650 ack 1515141449
26.638116 port1 in 192.168.9.181.10737 -> 192.168.9.182.179: ack 1109234669
30.977359 port1 out arp who-has 192.168.9.181 tell 192.168.9.182
30.977987 port1 in arp reply 192.168.9.181 is-at 00:0c:29:ef:3e:b4
The policies are the same on both.
Not sure what is going on, any thoughts ?
Thank you
Solved! Go to Solution.
For example, you're missing VL30 > p2, if VL30 is sending traffic to VL2140. You've got only half of the required policies.
Appreciate everyones input..
On the same topic, unsure if I should open a different thread.
How to allow traffic for the VM behind FW1 to reach VM behind FW2, and vice versa ?
In the above only firewalls are able to reach each other.
If you create firewall policies from VLAN interfaces to port1/port2 on both firewalls and enable source NAT, ideally this communication should work without any additional changes.
I did this, but VM in FW1 10.11.30/0/24 can reach FW2 10.21.30.0/24 but not 10.21.40.0, this is the same vice versa.
So you need 4 policies per FW, at least.
I think I have 4 policies 2 per port..
The routes seems inserted correctly in the routing table. You will need two firewall policies on both Firewalls to allow traffic from the perspective of the host that initiates the connection where it reaches the firewall.
Thanks,
Is this what is being referred to as Source NAT, this in the Policy itself ?
And do I need to enable Preserve Source Port ?
I recommend not to go this way. SNAT is poor man's routing.
That is, your routing is insufficient. NATting the traffic will conceal this and make it work but it still is incorrect.
On your VMs, is the default route (0.0.0.0/0) pointing to the FGT? If you don't want to use the default route for this, create a specific route to the remote network, with the gateway address as the address of the directly connected FGT interface. The FGT will then route the traffic to remote.
and to your question about "preserve source port": you supply 1 NAT address, the interface's address. What will happen if you fix the source port as well? What if you open 2 or more connections/sessions?
This is one way of doing it (maybe the simplest one), but since you have proper routing and non overlapping destination subnets you may not use NAT at all, just allow the traffic sourced by the real IPs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.