Hi there,

We currently have a new set up,  which has a 50e used as the DMZ FW which connects directly to the WWW router on a none routed /30 subnet (transit)  and 100E connects directly to the 50e via a transit link.  devices behind the 100e and 50e can get to the web via a NAT overload and there is specific 1 to 1 NATs as well. 

100E doesn't do NAT, all NAT is on the 50E.  100E can ping the web 8.8.8.8 and reach Fortinet via the dashboard for updates etc using a route that points to the 50e, 50e then just pushes everything from that subnet to a public address via NAT overload.  My issue is the 50e cannot ping 8.8.8.8 and does not receive updates from Fortinet on the dashboard.

Any advice, I added a loopback with its own public address this didn't work.  I added the Loopback to the NAT overload group that the 100e uses that didn't work either.  I even created a 1 to 1 nat from the /30 IP that connects to the router (none advertised) to a new public address this wouldn't allow the 50e to ping out either via the specific source.

I have asked networks to check what is allowed in, I did a packet sniffer and it showed packets going out but not returning for the 50e, they do for the 100e, the router does have a acl inbound which denies any IP to the 50e /30 specific IP but the 100e is able to get out using the NAT.

Any ideas appreciated.

Many thanks

Alex