NAT and Routing related

rohitchoudhary1978 · ‎09-25-2019

Hi,

Pfa an elaborated network diagram. Firewall FGT100D at Site 2 act as a router only. FGT600c at Site 1 Headoffice side has been used for firewall permissions with different policies created for Site_2. Now the issue is with the routing that when we use NAT at Site_2 it won't show desktops local lan IP at Site_1 firewall FGT600c, it just shows the wan side ip i.e., 17.17.17.2 or 18.18.18.2 of the Site_2 Firewall and the IP based policy won't work. Disabling NAT doesn't let internet work on desktops but it shows connectivity at Site_2 Firewalls terminal window and can ping gmail.com/yahoo etc.

Please help.

*SDWAN is enabled at Site_2 and P2P lease lines act as 2 wan connections.

*D235 mentioned in diagram is equivalent to Site_2

Regards

Rohit K

rwpatterson · ‎09-25-2019

Why don't you just NAT on the second Internet facing firewall? Same policy as on the first, but move it to the unit where it does the most good.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

ede_pfau · ‎09-25-2019

"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.

NAT is not a solution, it's a cludge. Never NAT if you really have to route.

Put a static route on FGT1

192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)

and on FGT2

192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).

I hope this makes sense to you.

You might post the current routing tables if you think routing is already in place.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

ageric · ‎09-25-2019

18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.

If that's the case, then no, you won't be able to tell which machine is which on the other side.

To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.

View solution in original post

Leen · ‎09-26-2019

Hi,

I have read through this lengthy problem and I think you first have to be clear what you want.

Questions to ask;

- Do I trust my WAN provider enought not to use IPSEC tunnels between my locations and

- even when I trust them is my data safe? Can anybody get access without my permission?

Second

- You want internet access at site 2 but at the same time all policies going through site 1 which means your internet access has to go through site 1.

I would suggest setup IPSEC tunnels between 2 locations and default route + policies point to first firewall. Let first firewall handle access to internet or intranet.

No need for nat unless you have overlapping IP ranges.

Make sure that on firewall site 1 there is a route back to your firewall at site 2.

If you want to load balance SDWAN is one; you could also use a routing protocol like OSPF that allows you to load balance.

Cheers, Leen

View solution in original post

sw2090 · ‎09-26-2019

You will need to diffe traffic by policy probably:

one policy to allow traffc from subnet on site 2 to subnet on site 1 without NAT

one policy to allow traffic to any subnet from subnet on site 2 with dstintf site 1 and NAT enabled

they must be in this order.

And you need static routes for site 1 at site 2 and vice versa.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

rohitchoudhary1978 · ‎09-25-2019

Hi, One more update.

While after disabling NAT at Site_2 i checked firewall terminal that i can able to ping gmail.com or any other destination but not able to access internet at desktop.

Rgds

Rohit

Rohit K

rwpatterson · ‎09-25-2019

Why don't you just NAT on the second Internet facing firewall? Same policy as on the first, but move it to the unit where it does the most good.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎09-25-2019

"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.

NAT is not a solution, it's a cludge. Never NAT if you really have to route.

Put a static route on FGT1

192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)

and on FGT2

192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).

I hope this makes sense to you.

You might post the current routing tables if you think routing is already in place.

Ede Kernel panic: Aiee, killing interrupt handler!

rohitchoudhary1978 · ‎09-25-2019

ede_pfau wrote:
"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.
NAT is not a solution, it's a cludge. Never NAT if you really have to route.

Put a static route on FGT1
192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)
and on FGT2
192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).
I hope this makes sense to you.
You might post the current routing tables if you think routing is already in place.

Hi,

Thanks for the reply. I'll try to do static routing now and let you know if it works.

Rgds

Rohit

Rohit K

rohitchoudhary1978 · ‎09-27-2019

ede_pfau wrote:
"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.
NAT is not a solution, it's a cludge. Never NAT if you really have to route.

Put a static route on FGT1
192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)
and on FGT2
192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).
I hope this makes sense to you.
You might post the current routing tables if you think routing is already in place.

Hi,

I got your earlier answer on this forum and was related to me.... and it Works :)

https://forum.fortinet.com/tm.aspx?m=142884

Thanks and Regards

Rohit

Rohit K

rohitchoudhary1978 · ‎09-25-2019

rwpatterson wrote:
Why don't you just NAT on the second Internet facing firewall? Same policy as on the first, but move it to the unit where it does the most good.

Hi,

Thanks for the reply.

You mean on site_1.. Right. Its already NAT but on site_2 its won't deliver internet without NAT. Anyways internet is not an issue, the issue is with the permissions(web filter, app control etc) which are at site_1 firewall FGT600c as it is of high capacity and capable for high usage as well. How can i allow traffic for various users like some are trusted users from management and some are normal users.. until i read the ip of the raange 196.168.1.x at my site_1 firewall. Here i am getting just 2 ip 17.17.17.2 and 18.18.18.2 as they are load balanced point to point lease lines and not internet. i hope you understand.

Regards

Rohit

Rohit K

sw2090 · ‎09-26-2019

You will need to diffe traffic by policy probably:

one policy to allow traffc from subnet on site 2 to subnet on site 1 without NAT

one policy to allow traffic to any subnet from subnet on site 2 with dstintf site 1 and NAT enabled

they must be in this order.

And you need static routes for site 1 at site 2 and vice versa.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

emnoc · ‎09-26-2019

NAT is not needed at the site2 if his internet is at site1. He only needs a SNAT at site1 that let's the src.addr 192.168.1.0/24 out. Routing at site1/site2 needs to be straighten out. IPSEC is not required ( they are lease lines p2p )

OP, can you do on site1/2

get route info routing all

Ken Felix

PCNSE

NSE

StrongSwan

sw2090 · ‎09-26-2019

yes that's probably the easiest solution emnoc.

Site2: static route to site 1 and a policy that allows traffic to site 1 for any subnet that is not on site 2 without NAT

Site1: static route to site 2 and policy to allow site 1 to acces site 2 without NAT and policy to allow site 2 to any with NAT.

with that Site 2 can access Site 1 for internal services like remote desktiop without getting natted and it can access the internet via Site 1 with NAT.

Just mind the order of the policies. The internet one on Site must be behind the other one since policies are first come first serve on a FGT ;)

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

NAT and Routing related

Nominate a Forum Post for Knowledge Article Creation