Hello All,
As I am new to the forum so please pardon for which place or topic option will be suitable for my query.
As you can see in attached we are separating the same physical site into two sites with the name Site-A and Site-B. Both having separate ISP's.
On Site-A, intervlan routing, DHCP, ACL's and default route towards firewall happening on Core switch and Site-A firewall only be used for internal/external policies. Please note that communication between core and firewall is layer3.
On Site-B we have been told to use separate zones for each department, printer, Server's (DMZ), intervlan routing, DHCP, etc on the internal firewall.
The main requirement
The main requirement is Site-A users or vlans should access or communicate with the Site-B DNS/domain controller. For example, if support person from Site-A needs to add PC in Domain, that should be successful.
- Please suggest the design between Site-A and Site-B.
- It's appropriate with the firewall to firewall connectivity or it can be between core and a site-b firewall.
- what will be the configuration for smooth connectivity?
We tried a lot of connectivity configuration but failed.
Please Note: All the firewalls are Fortigate and all switches are Cisco. Before going to production we deploy it in EVE and tested but communication between Site-A and Site-B failed, apart from that everything fine. We cannot go directly to production until we sure that is the way.
Your help will highly appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have connectivity between FG-site-A and Internal FW in side B? I understand the switch between is L2 and port2 and port5 are in the same subnet? What do you mean by "We tried a lot of connectivity configuration but failed." -> what communication failed? Between FortiGates? On both FG you just need routing and firewall policies.
Hi Hubertw,
Thanks for the reply. Actually, there is connectivity between the SiteA firewall and SiteB Internal Firewall. The main problem or the goal we want to achieve is SiteA all vlans subnets/PC's should reach SiteB Servers for joining in Domain (DMZ). We change/apply a lot of policies but we failed to communicate between SiteA Subnets/Pcs's with SiteB DC. Please find attached screenshots for your reference.
Site-A-1
Site-A-2
Site-A-3
Site-B-1
Site-B-2
Site A-CORE
interface Ethernet0/0 switchport trunk encapsulation dot1q switchport mode trunk duplex auto ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 no switchport ip address 10.10.0.2 255.255.255.0 ! interface Vlan10 ip address 192.168.1.1 255.255.255.0 ! interface Vlan20 ip address 192.168.2.1 255.255.255.0 ! ! no ip http server ! ip route 0.0.0.0 0.0.0.0 10.10.0.1 !
Can you focus on one pair of IPs (source and destination) and check if routing and policies are in place on both firewalls?
I understand 10.10.0.1 is port1 IP on the Fortigate in the site A, correct? What is the routing on this FortiGate?
The last image you pasted in a wrong way. I can't see it.
Hello Hubertzw,
Sorry for bad last post, i was strugling with uploading screenshorts. Please click below url it will take you to screenshorts. Lets focus on source is PC 192.168.1.20/24 which is in VLAN-10 on Site-A, needs to reach DC Server 172.17.18.2 in Zone on Site-B for Active Directory services.
I am kind of new to Fortinet. I don't know where i doing mistake. As this project is on my head. I hope this url will work.
Is there anyone else who can Help me out on this.
On the site-B Fortigate in the firewall policy change the outgoing interface from port4 to DC-LAN40.
Show me the routing table on both FGs
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.