Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daniel_Aguilar
New Contributor

FG 80E Issues with static routing

Hello, I'm trying to configure my FortiGate 80E as a router with static routing, but I'm having issues that I can't understand.

 

This is my current config:

Port4 has IP 172.16.0.1/255.255.255.0

Port2 has IP 172.16.1.1/255.255.255.0

In port2 I have a host with 172.16.1.2 and in port4 one host with 172.16.0.2.

From 172.16.0.2 I have succesful pings with 172.16.0.1

and 

From 172.16.1.2 I have succesful pings with 172.16.1.1

 

But I can't connect each other. I can't ping from 172.16.1.2 to 172.16.0.2 or 172.16.0.1 and I don't know why. Both subnets are directly connected to FortiGate

 

4 REPLIES 4
emnoc
Esteemed Contributor III

The "diag debug flow" is your friend. I would run that and verify the 1> fwpolicy 2> if nat is not not talking place 3> the route

 

Sounds like fwpolicy or lack of proper default-gateway on the two hosts. You can do a ping and monitor form the cli also to see what is happen

 

   diag sniffer packet any "host 172.16.1.2 and 172.16.0.2" 4

 

Ken Felix

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
James_G
Contributor III

Have you setup policies to allow traffic?

sw2090

This is obviously not a routing issue on the Fortigate. The FGt does have routes because it has interfaces in that subnets.

 

This can have the following reasons:

 - the PCs don't have the FGt als default gw - in this case THEY need to have static routes

 - you don't have a policy or policies to alow the trafic between those two ports and subnets in all required directions - in this case you will always match Policy #0 which means implicit deny. This is default behaviour of all FGT.

 

As Ken wrote you could check this on the FGT with diag debug flow. If the traffic reaches the FGT you will see what happens to it on the FGT in Flow Debug.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
VitaliyN
New Contributor

Hi!

If i'm right, you need 2 firewall policies: from port4 source 172.16.0.0/24 to port2 destination 172.16.1.0/24

and vise versa.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors