Hi all, I want to implement a scenario in my office please help me out in the scenario.
I had an old Fortinet firewall FG-80C with firmware version 5.6 installed in it. The connectivity between the devices is in following way:
ONT -> Fortinet -> Unmanaged switch -> LAN users.
PPPoE is configured on ONT , I am unable to access the ONT as the credentials are with the ISP.
WAN2 interface of FG-80C is getting private IP 192.168.70.132/24 from ONT via DHCP.
I had to configure FG-80C so that the employees remotely can access the File server placed inside the office via forticlient.
I had also attached the topology that I need to implement.
It would be very helpful if anyone could help me making this scenario working.
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may consider to configure SSL VPN / IPsec. Please find the details below:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/559546/ssl-vpn-full-tunnel-for-remote-us...(SSL VPN)
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/460465/ipsec-vpn-with-forticlient(IPsec)
Port forwarding should be configured on ONT device.
@abarushka thank for the reply.
As I already told that I don't have access to ONT and the ONT is configured in PPPoE mode. Firewall is getting Private IP not Public IP.
Internet connection is terminating on ONT not on my Firewall.
Hello,
Then only option is to use DDNS. So FortiGate will update DNS records and you will use this FQDN as remote server in your FCT Configuration. But ONT needs to be capable forward traffic from public IP to your private IP.
The main issue behind the scenario is the only one that is ONT is not accessible, this was the main reason because of which I had to put this post, otherwise this question has already been answered by technical guys on these forums.
Thank you for the reply @akristof
Hey mumer19,
there are two ways to go about this:
- somehow, your users have to be able to get through ONT to reach the FortiGate (the ONT has to forward the traffic to FGT on a specific port or similar)
-> DDNS would help with that if the ONT receives dynamic IPs from your ISP
-> FortiGate would be set up to receive IPSec or SSLVPN requests, and clients can connect to that and then access the fileserver through FortiGate
The other option requires an additional hop:
- set up another gateway under your control
- set up IPSec site-to-site from the FortiGate to the other gateway (FortiGate can initiate this, so no need for ONT to forward traffic to FortiGate explicitly)
- your users connect to the other gateway, and then access the fileserver through the site-to-site VPN and then FortiGate policies
Hey Debbie.
Thank you for the reply.
The firmware of Fg-80C is 5.6 and while configuring Ipsec there is no option for DDNS, so i can't connect it there, and secondly it shows the remote network also..no detail of remote site as it's the vpn client only not the other site.
I also tested for SSLVPN by giving DDNS but can't achieve the required results.
For the second solution I can't implement as I don't have 2nd hop, is there any link which shows how to achieve this with 2nd hop...do share here.
Created on 11-08-2022 04:30 AM Edited on 11-08-2022 04:30 AM
Hello,
On FortiGate, only thing you need to configure is DDNS - to update DNS records correctly. Then configure your Ipsec as normal remote access vpn, for example:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/589121/ipsec-vpn-with-forticlient
Only difference is that on FortiClients, instead of IP address in remote-gateway, you will enter the fqdn that FortiGate is updating via ddns.
Dear Guys.
I configured the DDNS setup by third-party DDNS server (my-noip.com). I followed the URL (https://www.51sec.org/2018/10/20/configure-fortigate-ddns-with-free-ddns-service-noip-net/) to configure the third party DDNS. After configuring DDNS the firewall is accessible within the local network via example.ddns.net but unfortunately it is not accessible from outside the company network.
The configuration is as below:
Hello,
In that case verify with simple packet capture if any incoming packet is seen from wan2. If not, then possibly ISP is not forwarding packets from public IP to your device.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.