I have a site to site vpn mounted with my private subnet (10.0.1.0/24) and Teltonika router RUT951 subnet (192.168.10.0/24) which is connected to internet through dial up (SIM Card Telcel). The site to site is up and successfully running on phase1 and phase2 selectors..... But I canNOT ping or telnet from server in private net to the router RUT951 itself nor any device behind the router.
But I am able to do ping or telnet successfully from router RUT951 to server in private net.
From Fortigate CLI tried to do ping on 192.168.10.1, but no luck.
My guess is the issue should be on the firewall of the router RUT951, but I am new on this so I need help.
I have both policies allowing all access from RUT951 -> PRIVATE NET and PRIVATE NET -> RUT951 like below:
PRIVATE NET -> RUT951 Policy (This one does not work if doing ping or telnet disabling or enabling NAT, same result).
RUT951 -> PRIVATE NET (This one works perfect i can do ping or telnet)
Static Routes
IPSEC TUNNEL SITE TO SITE SUCCESS STATUS.
More context:
Fortigate in a VM in AWS.
Private subnet as 10.0.1.0/24 where private server resides.
Public facing subnet 10.0.0.0/24.
My Teltonika RUT951 router subnet 192.168.10.0/24 (Internet access through SIM Card Telcel, not WAN as such).
RUT951 router ip address 192.168.10.1
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @OrtizJorge97 ,
Please specify the source IP for Ping on FGT:
execute ping-options source x.x.x.x // x.x.x.x is the IP assigned to port2
execute ping 192.168.10.1
Hi,
From the above information you have provided i could see NAT is enable in the security policy. Disable the NAT in the policy and clear the session. Then check.
Could you give me more details on what you mean on "clear session", like clearing browser session ?
Hi @OrtizJorge97 ,
You may run the following CLI commands to clear the sessions:
diag sys session filter proto 1
diag sys session clear
Disabled NAT for policy on PRIVATE NET -> RUT951 and cleared session in second picture, then did a ping, but no luck :(
Cleared session and ping on router ip
Ping from server in the private subnet to router, but no luck
Hi @OrtizJorge97 ,
Please specify the source IP for Ping on FGT:
execute ping-options source x.x.x.x // x.x.x.x is the IP assigned to port2
execute ping 192.168.10.1
Created on 12-10-2024 05:45 PM Edited on 12-10-2024 05:45 PM
Looks like my router is responding and also devices behind it
it is weird that from my server in the private net (interface port2 10.0.1.10), it is not responding the ping
Hi @OrtizJorge97 ,
Please run this CLI command and then reproduce the issue from your server in the private net:
diag sniffer packet any 'icmp and host 192.168.10.1' 4
Created on 12-10-2024 07:05 PM Edited on 12-10-2024 07:06 PM
Hi @dingjerry_FTNT ,
This is the output for
diag sniffer packet any 'icmp and host 192.168.10.1' 4
Nothing displayed here after doing ping from server in private net
and This is from my private server aws.
just as more context, this is my routing table on private net
Run first diag sniffer packet any 'icmp and host 192.168.10.1' 4, then did ping from private server in private subnet.
Hi @OrtizJorge97 ,
No outputs at all. It means the Ping from the private server did not come to FGT port2 at all.
On the private server, please make sure that the default gateway is pointing to FGT port2/10.0.1.10
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.