Fortigate VDOMs instead two CISCO routers

kzuk · ‎08-28-2019

Hi,

I have used two CISCO routers so far.

The first router provided access to the internet and for the first segment of the network. Behind this router was a second one (behind NAT), which was a network separator. I would like to implement this configuration on one Fortigate 100E. I have already created two VDOMs but I am not sure if I should use VDOM Links or something else.

kzuk · ‎08-29-2019

I already try that. Nothing change.

smari · ‎08-29-2019

Allright, try putting some ip's on the vlink interfaces and ping between them and from the secure host to the ip on the vlink public end.

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

kzuk · ‎08-29-2019

I already try that... but... can't :(

VLAN_Public is configured for use with FortiSwitch. VDOMs configured with these VLANs interfaces.

smari · ‎08-29-2019

Ahh, you can put any address on there, just put a /30 with ip's on each vlink interface within range.

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

kzuk · ‎08-29-2019

Ok, debug flow below.

Current vlink config:

(VDOM_Secure) # execute ping 172.3.255.10

id=20085 trace_id=4561 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=0." id=20085 trace_id=4561 func=init_ip_session_common line=5657 msg="allocate a new session-0000e6d6" id=20085 trace_id=4562 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=1." id=20085 trace_id=4562 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction" id=20085 trace_id=4563 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=2." id=20085 trace_id=4563 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction" id=20085 trace_id=4564 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=3." id=20085 trace_id=4564 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction" id=20085 trace_id=4565 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=4." id=20085 trace_id=4565 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction"

PING 172.3.255.10 (172.3.255.10): 56 data bytes --- 172.3.255.10 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss

ede_pfau · ‎08-29-2019

Please add "diag deb flow console ip ena" to enable policy check debugs.

And, your pinging 172.20. to 172.3., whereas the other link's end is 172.10. - ??

Ede

"Kernel panic: Aiee, killing interrupt handler!"

kzuk · ‎08-29-2019

There is progress :)

But i can ping only in one way.

VDOM_Public

- has internet access - this is ok

- has access in VLAN_Public - this is ok

- not have access to VLAN_Secure - not ok :(

VDOM_Secure

- not have internet access - this is ok

- has access both VDOMs - this is ok

Config uploaded.

Policies the same on both VDOMs, static routes too. And communication is only one way.

Any sugestions?