Hi Guys,
I'm facing a problem replacing my old Cisco 1921 to Fortigate 90D.
I have a public IP range from ISP, i.e.: 76.252.105.128/26. I divided this range to multiple subnets. Between Fortigate and ISP router there is 76.252.105.128/28 subnet (ISP router 76.252.105.129 and fortigate WAN: 76.252.105.130). The rest of public IPs were divided into small 4 IP subnets and assigned to LAN interfaces, i.e. LAN_1 76.252.105.176/30. The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.
I also have a private LAN_2 (192.168.1.0) which is overloaded to 76.252.105.130 and it works great!
I don't have ideas why public IP routing doesn't want to work. On old Cisco everything works great. Do you have any ideas?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi - you should do some basic testing - -run a constant ping between two IP addresses and then run a sniffer trace from the Fortigate CLI on the interfaces such as:
diag sniffer packet Lan_1 'host x.x.x.x and host x.x.x.x'
Does the packet arrive at the LAN_1 interface?
Then:
diag sniffer packet wan1 'host x.x.x.x and host x.x.x.x'
Does the packet leave the wan1 interface and do you get a response back from the upstream router?
That would be a good starting point - -if that does not help then do a debug flow such as:
diag debug enable
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr x.x.x.x
diag debug flow show console enable
diag debug flow trace start 50
See if that gives you some clues.
Moby.
>>>The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.
Since the IP of internet servers is a public one, ISP should always has route back, so firewall policy is good, no nat no VIP required. please check the routing-table on FGT by 'get router info routing-table all'
Hi - you should do some basic testing - -run a constant ping between two IP addresses and then run a sniffer trace from the Fortigate CLI on the interfaces such as:
diag sniffer packet Lan_1 'host x.x.x.x and host x.x.x.x'
Does the packet arrive at the LAN_1 interface?
Then:
diag sniffer packet wan1 'host x.x.x.x and host x.x.x.x'
Does the packet leave the wan1 interface and do you get a response back from the upstream router?
That would be a good starting point - -if that does not help then do a debug flow such as:
diag debug enable
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr x.x.x.x
diag debug flow show console enable
diag debug flow trace start 50
See if that gives you some clues.
Moby.
Two issues here.
1) All outbound policies need to have NAT enabled for traffic to pass to the Internet.
2) Inbound traffic: I'm not too familiar with how the Cisco works, but I do know that your ISP has to pass the traffic for the inbound servers to one firewall or another. This has to managed manually (unless you are using a routing protocol). You need to see from the outside where the traffic is being pushed to. If it is the Fortigate, then you have to make sure your Virtual IP (VIP) mappings are set up correctly and that the policies are in place to allow that traffic.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
>>>The problem is that I cannot access internet servers from LAN_1 and opposite way - I cannot access internet server in LAN_1 (76.252.105.178) from the internet. I have 2 IPv4 policies ISP -> LAN_1 (without NAT) and LAN_1 -> ISP (Without NAT) allowing all traffic.
Since the IP of internet servers is a public one, ISP should always has route back, so firewall policy is good, no nat no VIP required. please check the routing-table on FGT by 'get router info routing-table all'
Hello Guys,
Thanks for your advices!
@moby, I did a testing and it helped me to figure out what's the problem.
@Jzhang_FTNT you were right. The problem is located in route table in ISP router.
To be more specific:
The ISP router interface should be configured with IP: 76.252.105.129/28. To the rest of public IPs (76.252.105.144-76.252.105.191) there should be IP route via our router interface (76.252.105.130).
However I discovered that when I'm trying to ping.one of my public IPs 76.252.105.178 ISP router sends ARP broadcast requesting mac of 76.252.105.178 instead of sending packet via our router interface. I've asked ISP to check this router configuration and they confirmed that router interface has IP 76.252.105.129/26 instead of 76.252.105.129/28. That's the error! Old Cisco took care of it somehow and Fortinet can't do it.
ISP will reconfigure their router and it will solve problem.
Thanks again!
I prefer, in situations like this, to get a /30 for the WAN interface of the Gate. That can be the external address and they can then route the /26 or /28 or whatever pool of addresses to the WAN interface of the Gate. From there you have clean control via VIPs etc.
Mike Pruett
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.