Hello,
We have a Fortigate 100D in our office and created an IPSEC VPN to our PfSense firewall in the datacenter. The IPSEC is online and the configured local/remote networks can both access each other. The remote network is 172.16.0.0/24 (PfSense) and the local networks are 192.168.10.0/24 and 192.168.100.0/24 (both on Fortigate).
When the Fortigate, which has an interface in both local networks (192.168.10.1 and 192.168.100.1), tries to access the remote network 172.16.0.0/24 it fails. The Fortigate uses its disabled DMZ interface (10.10.1.2) to access the network.
Is there a way I can force the Fortigate to use the 192.168.10.1 or 192.168.100.1 interface to access the 172.16.0.0/24 network? I have a static route configured, as it won't route otherwise.
We are running firmware 6.0.11.
Kind regards,
Tom
Solved! Go to Solution.
Hi Tom,
You have the option of configuring source-ip on FGT for locally originated traffic. You can configure this for LDAP as well.
config user ldap
edit <server_name>
set source-ip x.x.x.x
end
Details here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-with-remote-LDAP-via-site-t...
If this clarifies your queries, please mark this as resolved.
Thank you.
Shahan Agha
Hi Tom,
Thank you for reaching out to us.
Please clarify the sort of traffic you are generating on FGT that is failing.
You can share the following debugs to see what FGT is doing with traffic:
diag de flow filter addr <remote-IP>
diag de flow trace start 1000
diag de en
Generate the traffic and see what FGT does with it.
If you are testing with a ping, you can use ping-option to configure source-ip
Explained here:
Thank you.
Shahan Agha
Hi Shahan,
Setting the ping-options to source 192.168.10.1 has made the remote network reachable. I did not know that was a setting...
I am trying to add a new LDAP server for authentication. The current LDAP server is local, but the new one is in the DC - which is why we have the IPSEC VPN. I keep getting an Invalid LDAP Server error and checked the connectivity between the Fortigate and the remote network. That's where I noticed the traffic was flowing from the disabled DMZ towards the remote network. So I'm not sure if it was just ping failing or it just can't connect to the remote network. I will dig further, but I think the ping-option solved the ping issue.
Kind regards,
Tom
Hi Tom,
You have the option of configuring source-ip on FGT for locally originated traffic. You can configure this for LDAP as well.
config user ldap
edit <server_name>
set source-ip x.x.x.x
end
Details here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-with-remote-LDAP-via-site-t...
If this clarifies your queries, please mark this as resolved.
Thank you.
Shahan Agha
Hi Shahan,
Just a quick follow-up to the issue - LDAP now can succesfully reach our AD in the DC. However, when the AD in the DC tries to reach our local network, it sends the requests through the DMZ instead of the 192.168.10.1 or 192.168.100.1 networks.
Is there a way to make sure a request from the 172.16.0.0/24 network goes through 192.168.10.0/24 or 192.168.100.0/24, instead of 10.10.1.2?
Hi CustomX,
For this, you will have to check how the traffic is getting routed and might need Firewall policies with NAT between two interfaces. This way you can perform source NAT and change the source as you like by either using the IP address of the interface or IP pools in the Firewall Policy.
Thanks,
Shahan
Thanks Shahan, that resolved the issue!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.