I have two firewalls A and B my requirement is that internet traffic of firewall A users goes through firewall B through an IPsec tunnel
in simple terms, I want that users on firewall A their public ip should be of site B
so should I have to edit some default route or what is the way to acheive this
following is some links
1:
2:
which link is required for my query or the following option is required (use remote)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Secsupport,
Let's suppose you have configured the VPN parameters and firewall policies as per the article mentioned. Regarding static routing, I will briefly explain you based upon the below diagram.
Let Fortigate A is connected to the internet via PORT1( IP address: 2.2.2.2)
Fortigate B is connected to the internet via PORT1 ( IP address: 1.1.1.1).
Here in Fortigate A, you have to configure two routes:
1. 1.1.1.1/32 via port1 (to make the tunnel up)
2. 0.0.0.0/0 via IPsec tunnel (to route rest of the traffic via IPSec tunnel)
Created on 02-21-2023 03:49 AM Edited on 02-22-2023 03:40 AM
what about policies on both firewalls ?
FG-A:
incomming interface : lan
outgoing interface : ipsecvpn tunnel
nat (enable/disable)?
FG-B:
incomming interface : ipsecvpn tunnel
outgoing interface : wan
nat (enable/disable)?
kindly confirm what these rules or anyother required step
Secondly if one of the firewalls is behind the NAT then same steps will be required or different?
Hi Secsupport,
Regarding firewall policies:
On FortiGate A:
IPSEC tunnel to Port1 (enable NAT here) -- to allow internet access to VPN users coming from Fortiagate B
On Fortigate B:
Lan to IPSEC (without NAT)
Regards
Beware secsupport, I think you mix up FGT A and B. FGT A is the one with internet access.
As a FGT is not only a router, you need a couple of things in order to make this work:
routes - phase 2 selectors - policies - NAT
in detail:
1- a default route on FGT B pointing to the tunnel
1b- a route on FGT B pointing to FGT A's public address (the VPN gateway address)
1c- a route on FGT A with FGT B's LAN address, pointing to the tunnel
2a- on FGT B, phase 2 selector for "destination" is "0.0.0.0/0" (source is FGT_B_LAN)
2b- on FGT A, phase 2 selector for "source" is "0.0.0.0/0" (dest is FGT_B_LAN)
3a- a policy on FGT B to allow traffic to the internet (from LAN to tunnel, dest=ALL)
3b- a policy on FGT A to allow tunnel traffic to the internet (from tunnel to WAN, dest=ALL) - NAT enabled
As a rule of thumb, enable NAT only in the last policy facing the internet.
So, never on FGT B.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.