Hello folks !
Is my first time administering network resources and firewall in my Company.
And I get in trouble, in my scenario we have in my company 3 carriers using SDWAN to balance that links in case of faliure. One of this links I maked a vpn ipsec connection with other office. But in sometimes when I have a faliure in my links and I need use that link what I have a ipsec vpn, When I access my systems pages hosted in that datacenter via internet. My packages goes trought VPN tunnel, and not directly to the internet. The Network team from the other office analyse the traffic and gives to me 2 possibilites to solve this:
1- Make a ip pool with my 6 public ip, and build a Virtual Network interface. and route my packages to the internet using other public ip, using an IPV4 policy with a VIP attached to this rule to forward my trafic to other public ip from this carrier.
Or talk wit my carrier (in this case level 3) to activate other port in my Cisco router with other public ip disponible im my range and create an interface in my fortinet using that ip and forward my internet traffic to this public address.
What is the best Idea to solve this problem, and how can I do this ?
Best Regards !
Lucas Prado.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Little confused , can you please share the design and requirement clearly .
regds,
Ashik
Ashu
As ashik said, more details would help.
Which version of FortiOS are you running.
Are you specifically hosting servers? If not, you may not need to use a VIP, except as a workaround.
Are your VPN connections route/interface based or policy based?
Do you already have multiple static IPs for each ISP? Sounds like no?
You're using SD-WAN, but I'm unclear on how the failover works for your internet access and VPN access?
I think you are saying that your problem is that in a failure case for one of the links, your traffic that should go out to the internet is instead going over one of your vpn interfaces. Correct? If so, please describe the failure case. How you have link-monitor set up to catch connections that are down, and associated static routes, and policy routes would help.
Que le vaya bien.
Hello tanr ! How are you ?
Below I put my answers to help you ok ?
Which version of FortiOS are you running. version: 5.6.5
Are you specifically hosting servers? If not, you may not need to use a VIP, except as a workaround. No
Are your VPN connections route/interface based or policy based? Yes, I have interface based VPN. I use only IPV4 policy to allow my traffic pass through to the other network.
Do you already have multiple static IPs for each ISP? Sounds like no? I don't have multiple static IP for each ISP.
You're using SD-WAN, but I'm unclear on how the failover works for your internet access and VPN access? I can explain for you, I use sd-wan to make a load balance if one of my two internet links goes down. But the problem is: in wan 1 I make a VPN connection to my other office what have a hosting for some of websites what I use in my office. And I need this traffic goes to the internet, not pass through the IPSEC vpn, and I need use a different IP to pass trought this traffic directly to the internet. (now I using 200.x.x.58 in wan1 interface, and is the same IP what I use to close the vpn tunnel with the other site)
When I use the Wan 2 (that link doesn't have any vpn with this office) I can access normaly that websites hosted in my datacenter. But if I need use the wan1 link. If I try to access that links. I get error 404 on my broswer.
And analyse with the other team, they see what my packet is going via VPN, not directly to the internet and because of this I get erros to access that URL's.
The idea is: Or I use a Virtual Interface or use a NAT to pool these IP'S and route my packages to other /29 public IP what I have disponibility to use: Example 200.x.x.59/29
Or use a WIC interface from Level 3 Cisco router and connect directly on my 100D firewall and put a new interface with this public ip: 200.x.x.59/29 and pass trought my internet traffic to this ip.
I think you are saying that your problem is that in a failure case for one of the links, your traffic that should go out to the internet is instead going over one of your vpn interfaces. Correct? If so, please describe the failure case. How you have link-monitor set up to catch connections that are down, and associated static routes, and policy routes would help.
Hi
Still not clear for me ...Just tell us in points .
Or just share us high-level design of your network .
Regds,
Ashik
Ashu
lprado, your image didn't come through in the post, maybe it had more details?
This sounds mostly like a routing issue (or possibly link-monitor) but we would have to know how you are doing the routing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.