Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yosef
New Contributor

Created on ‎12-29-2014 01:56 AM

IPv4 Policy Lan to Lan

Hi

I have two lan interfaces the first 192.168.0.0/255.255.252.0 and the second 192.168.4.0/255.255.255.0 I want to connect the the devices on lan 192.168.4 to the server with an active directory and sharing folder on 192.168.0.1 i created two ipv4 policies to connect between the lans but i can't get ping between the lans what can be the problem ?

Tanks

 

 

 

Preview file
26 KB
Labels:
8911
0 Kudos
7 REPLIES 7
emnoc
Esteemed Contributor III

Created on ‎12-29-2014 02:09 AM

I can't pull up ALL the graphs but what I would do is to start a diag debug flow and monitor the output . The output will give you a clue and direction on what to check next.

 

e.g

 

diag debug disable

diag debug enable

diag debug flow filter addr 192.168.0.1

diag debug flow filter proto 1

diag debug flow show console enable

diag debug flow trace start 100

 

Then conduct a ping to the target and when your done doing your testing & diagnostics

 

diag debug reset

diag debug disable

 

Also I would review the fwpolicies between the interne1+3 interfaces/ netmask on the interfaces and hosts / fwpolicies ordering+sequence/ etc....

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4200
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎12-29-2014 03:30 AM

Did I spot this right that the first LAN has a 255.255.252.0 mask? That is, 4 Class C networks covering 192.168.0.0 to 192.168.3.254?

Are you sure this is intended?

 

If your server is not responding then I would suspect a personal firewall (software) on the server blocking ICMP. Ping the interface IP addresses of the FGT instead. If that is working the policies are OK but the hosts are not responding.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4200
0 Kudos
Fahad
New Contributor III

Created on ‎12-29-2014 03:51 AM

i noticed that you enabled NAT in the policy is it required since it lan-to-lan ? disable it and give a try.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
4200
0 Kudos
Yosef
New Contributor

Created on ‎12-29-2014 04:00 AM

Where could I see the results of the debug result?

4200
0 Kudos
Yosef
New Contributor

Created on ‎12-29-2014 04:31 AM

server 1 192.168.0.1 is an active directory server with subnet 255.255.252.0 

server 1 connected to internal 1 :

 

internal 1 connected to internal 3 through these policies :

internal 3 is a DHCP server to another lan network :

I want to get ping reply from the server to computer on internal 3

4200
0 Kudos
Dave_Hall
Honored Contributor
In response to Yosef

Created on ‎12-29-2014 11:19 AM

Even with screen shots, the network topology is confusing is hell. lol.

 

In firewall policy (internal3->internal1) you are only allowing certain port traffic through, though not the ports needed for actually file/folder access (aka file/print sharing).  In the other firewall policy (internal1->internal3), you are basically only giving "01servers" RDP access.  The DHCP server on internal3 is configured to hand out 192.168.4.61 (which is not the Fortigate IP from what I can tell) as the gateway IP address -- is that correct?

 

As others have indicated, NAT should be disabled.  Since an Active Directory is involve, there should be some sort of trust relationship between the two subnets.  If the computers on internal3 are not part of the same AD domain than those computers (on internal3) really shouldn't be connecting directly to the AD computer.  (i.e. Not best practise).

 

edit: if you want internal3 to "join" the same AD domain, there are several websites showing how to do this.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
4200
0 Kudos
Fahad
New Contributor III

Created on ‎12-29-2014 04:51 AM

hi,

 

why you enabled nat ? do you require translation ? if not disabled and should work.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
4200
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.