Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mumbles202
New Contributor II

Hub and Spoke Design w/ Tunnel All

I'm working on a new deployment of a 30D (running 5.0.2) that will be a spoke and needs to connect to a Cisco ASA as the hub.  I'm was able to configure the tunnel via the cli and confirm I am able to pass traffic between the locations, but I also need the 30D to send all of it's traffic through the tunnel as the goal is to have all the internet traffic go out through the hub.  In an attempt to get this working I created the tunnel, then modified the destination to be 0.0.0.0/0 and updated the policies I had w/ the same.  But when I do a traceroute it is still going out locally.  The WAN interface is getting it's address via DHCP so it's default route is in the routing table and I didn't see a way to modify it.  

 

Also, on a side note, is there a way to do any kind of port-security or MAC filtering on the LAN ports on that device?  I see how to do it for the wireless side, but didn't see how it would be done on the wired ports.

1 Solution
Jeroen
Contributor

Create a policy based route for the traffic that is originating from a specific interface. Route this traffic trough the VPN tunnel interface.

 

My experience is that using a 0.0.0.0/0 with cisco on the other end is not successful. Because Cisco is using the VPN routing to create it's routing table. This is depending on the model of ASA.

View solution in original post

2 REPLIES 2
Jeroen
Contributor

Create a policy based route for the traffic that is originating from a specific interface. Route this traffic trough the VPN tunnel interface.

 

My experience is that using a 0.0.0.0/0 with cisco on the other end is not successful. Because Cisco is using the VPN routing to create it's routing table. This is depending on the model of ASA.

mumbles202
New Contributor II

Thanks.  So something like this:

 

config firewall address

edit "local_address" set subnet 172.25.101.0 255.255.255.0 next

edit "Internet" set subnet 0.0.0.0 0.0.0.0 next

 

config firewall policy

edit 4 set srcintf "lan" set dstintf "Remote" set srcaddr "local_address" set dstaddr "Internet" set action accept set schedule "always" set service "ALL" set comments "From LAN to Internet" next edit 5 set srcintf "Remote" set dstintf "lan" set srcaddr "Internet" set dstaddr "local_address" set action accept set schedule "always" set service "ALL" set comments "From Internet to LAN" next

 

config router policy edit 1 set srcintf "lan"

set srcaddr "local_address" set dstaddr "Internet" set device "Remote" next end

 

I'll take a look.  I've done Cisco to Cisco w/o issue (w/ this particular ASA being the hub for a similar setup for another branch) so I think that part should be straight forward.  

Labels
Top Kudoed Authors