Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yosef
New Contributor

IPv4 Policy Lan to Lan

Hi

I have two lan interfaces the first 192.168.0.0/255.255.252.0 and the second 192.168.4.0/255.255.255.0 I want to connect the the devices on lan 192.168.4 to the server with an active directory and sharing folder on 192.168.0.1 i created two ipv4 policies to connect between the lans but i can't get ping between the lans what can be the problem ?

Tanks

 

 

 

7 REPLIES 7
emnoc
Esteemed Contributor III

I can't pull up ALL the graphs but what I would do is to start a diag debug flow and monitor the output . The output will give you a clue and direction on what to check next.

 

e.g

 

diag debug disable

diag debug enable

diag debug flow filter addr 192.168.0.1

diag debug flow filter proto 1

diag debug flow show console enable

diag debug flow trace start 100

 

Then conduct a ping to the target and when your done doing your testing & diagnostics

 

diag debug reset

diag debug disable

 

Also I would review the fwpolicies between the interne1+3 interfaces/ netmask on the interfaces and hosts / fwpolicies ordering+sequence/ etc....

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
SuperUser
SuperUser

Did I spot this right that the first LAN has a 255.255.252.0 mask? That is, 4 Class C networks covering 192.168.0.0 to 192.168.3.254?

Are you sure this is intended?

 

If your server is not responding then I would suspect a personal firewall (software) on the server blocking ICMP. Ping the interface IP addresses of the FGT instead. If that is working the policies are OK but the hosts are not responding.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Fahad
New Contributor III

i noticed that you enabled NAT in the policy is it required since it lan-to-lan ? disable it and give a try.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Yosef
New Contributor

Where could I see the results of the debug result?

Yosef
New Contributor

server 1 192.168.0.1 is an active directory server with subnet 255.255.252.0 

server 1 connected to internal 1 :

 

internal 1 connected to internal 3 through these policies :

internal 3 is a DHCP server to another lan network :

I want to get ping reply from the server to computer on internal 3

Dave_Hall
Honored Contributor

Even with screen shots, the network topology is confusing is hell. lol.

 

In firewall policy (internal3->internal1) you are only allowing certain port traffic through, though not the ports needed for actually file/folder access (aka file/print sharing).  In the other firewall policy (internal1->internal3), you are basically only giving "01servers" RDP access.  The DHCP server on internal3 is configured to hand out 192.168.4.61 (which is not the Fortigate IP from what I can tell) as the gateway IP address -- is that correct?

 

As others have indicated, NAT should be disabled.  Since an Active Directory is involve, there should be some sort of trust relationship between the two subnets.  If the computers on internal3 are not part of the same AD domain than those computers (on internal3) really shouldn't be connecting directly to the AD computer.  (i.e. Not best practise).

 

edit: if you want internal3 to "join" the same AD domain, there are several websites showing how to do this.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Fahad
New Contributor III

hi,

 

why you enabled nat ? do you require translation ? if not disabled and should work.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors