I'm having some routing issues with an MPLS circuit that terminates on an interface to my Fortinet.
MPLS Fortinet Interface IP:10.200.66.1
AT&T MPLS HSRP Router IP:10.200.67.2
I've added a static route for 198.105.206.0/24 to HSRP 10.200.67.1. I've created a security policy for my internal/trusted zone to MPLS to allow everything. I can't ping anything on the other end but the LAN.
I don't maintain the AT&T Cisco router or any of the config. I was told by the vendor to add their public blocks via static route and point to HSRP of the cisco router. I'm at a loss here.
Here is traceroute that shows it makes it to AT&T MPLS router but nowhere else:
Tracing route to ts099.scl.five9.com [198.105.206.150] over a maximum of 30 hops: 1 1 ms <1 ms 1 ms 10.200.32.1 2 <1 ms 2 ms 3 ms 192.168.53.1 3 <1 ms <1 ms <1 ms bedfordfortigate.daystartv.internal [10.200.106.1] 4 <1 ms <1 ms <1 ms 10.200.67.2 5 * * * Request timed out. 6 * ^C H:\>
Solved! Go to Solution.
I don't have experiences with AT&T's MPLS. But if they were to asisgn a public subnet on the interface, the HSRP interface should have the public subnet (likely /29, or in addition to 10.200 IPs only to communicate between two Cisco routers). You should be able to call in their support and ask what you should configure on your FGT interface with what GW IP.
I would run a Wireshark on the WAN port and see what traffic is hitting that interface.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
I don't have experiences with AT&T's MPLS. But if they were to asisgn a public subnet on the interface, the HSRP interface should have the public subnet (likely /29, or in addition to 10.200 IPs only to communicate between two Cisco routers). You should be able to call in their support and ask what you should configure on your FGT interface with what GW IP.
I wasn't informed of a public subnet. I was just told to connect the MPLS to my LAN and add the public routes of the other side via public block.
If the public subnet is supposed to be configured "inside" interface, you must have ordered to get it from AT&T, then AT&T route that particular subnet from/to the internet to/from your MPLS circuit. If you didn't order it but they say they would provide a public subnet like a /30, that must be for "wan-side" interface to connect to thier MPLS router.
Either case, call their support. They would tell exactly what you need to do.
We're working with a VOIP softphone company that ordered the MPLS circuits. I was told it was a platinum MPLS circuit. Yesterday we did some troubleshooting where I bypassed the switch I was using and went straight to my firewall and I still can't get out. I hooked a laptop directly up to AT&T's MPLS router and still can't reach the other side. The softphone people said something about NAT translation isn't working properly.
I would run a Wireshark on the WAN port and see what traffic is hitting that interface.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
The problem has been identified. AT&T had a problem with NAT translation and corrected the issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.