Hi,
I have used two CISCO routers so far.
The first router provided access to the internet and for the first segment of the network. Behind this router was a second one (behind NAT), which was a network separator. I would like to implement this configuration on one Fortigate 100E. I have already created two VDOMs but I am not sure if I should use VDOM Links or something else.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I already try that. Nothing change.
Allright, try putting some ip's on the vlink interfaces and ping between them and from the secure host to the ip on the vlink public end.
NSE7, FMG, FAC, FAZ .
1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
Ahh, you can put any address on there, just put a /30 with ip's on each vlink interface within range.
NSE7, FMG, FAC, FAZ .
1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
Ok, debug flow below.
Current vlink config:
(VDOM_Secure) # execute ping 172.3.255.10
id=20085 trace_id=4561 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=0." id=20085 trace_id=4561 func=init_ip_session_common line=5657 msg="allocate a new session-0000e6d6" id=20085 trace_id=4562 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=1." id=20085 trace_id=4562 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction" id=20085 trace_id=4563 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=2." id=20085 trace_id=4563 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction" id=20085 trace_id=4564 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=3." id=20085 trace_id=4564 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction" id=20085 trace_id=4565 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=4." id=20085 trace_id=4565 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction"
PING 172.3.255.10 (172.3.255.10): 56 data bytes --- 172.3.255.10 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss
Please add "diag deb flow console ip ena" to enable policy check debugs.
And, your pinging 172.20. to 172.3., whereas the other link's end is 172.10. - ??
There is progress :)
But i can ping only in one way.
VDOM_Public
- has internet access - this is ok
- has access in VLAN_Public - this is ok
- not have access to VLAN_Secure - not ok :(
VDOM_Secure
- not have internet access - this is ok
- has access both VDOMs - this is ok
Config uploaded.
Policies the same on both VDOMs, static routes too. And communication is only one way.
Any sugestions?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.