Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rohitchoudhary1978
New Contributor III

NAT and Routing related

Hi,

Pfa an elaborated network diagram. Firewall FGT100D at Site 2 act as a router only. FGT600c at Site 1 Headoffice side has been used for firewall permissions with different policies created for Site_2. Now the issue is with the routing that when we use NAT at Site_2 it won't show desktops local lan IP at Site_1 firewall FGT600c, it just shows the wan side ip i.e., 17.17.17.2 or 18.18.18.2 of the Site_2 Firewall and the IP based policy won't work. Disabling NAT doesn't let internet work on desktops but it shows connectivity at Site_2 Firewalls terminal window and can ping gmail.com/yahoo etc.

Please help.

*SDWAN is enabled at Site_2 and P2P lease lines act as 2 wan connections.

*D235 mentioned in diagram is equivalent to Site_2

 

Regards

Rohit K

Rohit K
Rohit K
5 Solutions
rwpatterson
Valued Contributor III

Why don't you just NAT on the second Internet facing firewall? Same policy as on the first, but move it to the unit where it does the most good.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."

 

Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.

NAT is not a solution, it's a cludge. Never NAT if you really have to route.

 

Put a static route on FGT1

192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)

and on FGT2

192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)

 

Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).

I hope this makes sense to you.

You might post the current routing tables if you think routing is already in place.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
ageric
New Contributor

18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.

 

If that's the case, then no, you won't be able to tell which machine is which on the other side.

 

To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.

View solution in original post

Leen

Hi,

I have read through this lengthy problem and I think you first have to be clear what you want.

Questions to ask;

- Do I trust my WAN provider enought not to use IPSEC tunnels between my locations and

- even when I trust them is my data safe? Can anybody get access without my permission?

Second

- You want internet access at site 2 but at the same time all policies going through site 1 which means your internet access has to go through site 1.

 

I would suggest setup IPSEC tunnels between 2 locations and default route + policies point to first firewall. Let first firewall handle access to internet or intranet.

No need for nat unless you have overlapping IP ranges.

Make sure that on firewall site 1 there is a route back to your firewall at site 2.

 

If you want to load balance SDWAN is one; you could also use a routing protocol like OSPF that allows you to load balance.

 

Cheers, Leen

View solution in original post

sw2090

You will need to diffe traffic by policy probably:

 

one policy to allow traffc from subnet on site 2 to subnet on site 1 without NAT

one policy to allow traffic to any subnet from subnet on site 2 with dstintf site 1 and NAT enabled

 

they must be in this order.

And you need static routes for site 1 at site 2 and vice versa.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
14 REPLIES 14
ageric
New Contributor

18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.

 

If that's the case, then no, you won't be able to tell which machine is which on the other side.

 

To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.

rohitchoudhary1978

ageric wrote:

18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.

 

If that's the case, then no, you won't be able to tell which machine is which on the other side.

 

To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.

Hi,

Hmm .. ipsec tunnel is a good idea as well.. but still stuck at permissions i  have to set at site_1 firewall for site_2 users... I think it can be done with some effort

 

Thanks

Rohit

Rohit K
Rohit K
emnoc
Esteemed Contributor III

If those 2 lines are lease lines just enable routing.No ned for sdwan just ecmp.

 

site2

 

config router static

 

  edit 1

        set dst 0.0.0.0/0

        set dev wan(xxx)

        set gateway 17.17.17.1

   next

  edit 2

        set dst 0.0.0.0/0

        set dev wan(xxx)

        set gateway 18.18.18.1

   next

 

 

site 1

 

config router static

 

  edit 1

        set dst 192.168.1.0/24

        set dev wan(xxx)

        set gateway 17.17.17.2

   next

  edit 2

        set dst 192.168.1.0/24

        set dev wan(xxx)

        set gateway 18.18.18.2

   next

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rohitchoudhary1978

emnoc wrote:

If those 2 lines are lease lines just enable routing.No ned for sdwan just ecmp.

 

site2

 

config router static

 

  edit 1

        set dst 0.0.0.0/0

        set dev wan(xxx)

        set gateway 17.17.17.1

   next

  edit 2

        set dst 0.0.0.0/0

        set dev wan(xxx)

        set gateway 18.18.18.1

   next

 

 

site 1

 

config router static

 

  edit 1

        set dst 192.168.1.0/24

        set dev wan(xxx)

        set gateway 17.17.17.2

   next

  edit 2

        set dst 192.168.1.0/24

        set dev wan(xxx)

        set gateway 18.18.18.2

   next

 

Hi, Its still not working as desired. Without NAT, site_2 firewall is not allowing traffic to internet but it can ping any server itself. Problem remains same as cannot able to assign permissions at site-1 firewall(webfiler, app control etc) as due to natted ip address i.e., 17.17.17.2 and 18.18.18.2 and not exact ip address of that pc in the range of 196.168.1.x.

See, internet feed is not an issue here as routing works perfectly. The issue is with the ip address what published at site_1 firewall for permissions. Hope you understood the need.

 

Thanks a lot

Rohit

Rohit K
Rohit K
Leen

Hi,

I have read through this lengthy problem and I think you first have to be clear what you want.

Questions to ask;

- Do I trust my WAN provider enought not to use IPSEC tunnels between my locations and

- even when I trust them is my data safe? Can anybody get access without my permission?

Second

- You want internet access at site 2 but at the same time all policies going through site 1 which means your internet access has to go through site 1.

 

I would suggest setup IPSEC tunnels between 2 locations and default route + policies point to first firewall. Let first firewall handle access to internet or intranet.

No need for nat unless you have overlapping IP ranges.

Make sure that on firewall site 1 there is a route back to your firewall at site 2.

 

If you want to load balance SDWAN is one; you could also use a routing protocol like OSPF that allows you to load balance.

 

Cheers, Leen

Labels
Top Kudoed Authors