Hi,
Pfa an elaborated network diagram. Firewall FGT100D at Site 2 act as a router only. FGT600c at Site 1 Headoffice side has been used for firewall permissions with different policies created for Site_2. Now the issue is with the routing that when we use NAT at Site_2 it won't show desktops local lan IP at Site_1 firewall FGT600c, it just shows the wan side ip i.e., 17.17.17.2 or 18.18.18.2 of the Site_2 Firewall and the IP based policy won't work. Disabling NAT doesn't let internet work on desktops but it shows connectivity at Site_2 Firewalls terminal window and can ping gmail.com/yahoo etc.
Please help.
*SDWAN is enabled at Site_2 and P2P lease lines act as 2 wan connections.
*D235 mentioned in diagram is equivalent to Site_2
Regards
Rohit K
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Why don't you just NAT on the second Internet facing firewall? Same policy as on the first, but move it to the unit where it does the most good.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
"NAT very often is poor man's routing: if it doesn't work, NAT it, and it will do."
Your problem is that the routing configuration is missing. You've got a subnet behind FGT2 which is unknown to FGT1. And vice versa.
NAT is not a solution, it's a cludge. Never NAT if you really have to route.
Put a static route on FGT1
192.168.1.0/24 via wan2, gw 17.17.17.2 (assuming wan2 points to leased line, wan1 to internet feed)
and on FGT2
192.168.x.0/24 via wan1, gw 17.17.17.1 (assuming wan1 points to leased line, specify FGT1 LAN subnet)
Otherwise, not only routing will be missing, but the FGTs will discard the traffic from the other side as "unknown" (anti-spoof).
I hope this makes sense to you.
You might post the current routing tables if you think routing is already in place.
18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.
If that's the case, then no, you won't be able to tell which machine is which on the other side.
To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.
Hi,
I have read through this lengthy problem and I think you first have to be clear what you want.
Questions to ask;
- Do I trust my WAN provider enought not to use IPSEC tunnels between my locations and
- even when I trust them is my data safe? Can anybody get access without my permission?
Second
- You want internet access at site 2 but at the same time all policies going through site 1 which means your internet access has to go through site 1.
I would suggest setup IPSEC tunnels between 2 locations and default route + policies point to first firewall. Let first firewall handle access to internet or intranet.
No need for nat unless you have overlapping IP ranges.
Make sure that on firewall site 1 there is a route back to your firewall at site 2.
If you want to load balance SDWAN is one; you could also use a routing protocol like OSPF that allows you to load balance.
Cheers, Leen
You will need to diffe traffic by policy probably:
one policy to allow traffc from subnet on site 2 to subnet on site 1 without NAT
one policy to allow traffic to any subnet from subnet on site 2 with dstintf site 1 and NAT enabled
they must be in this order.
And you need static routes for site 1 at site 2 and vice versa.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.
If that's the case, then no, you won't be able to tell which machine is which on the other side.
To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.
ageric wrote:Hi,18.18.18.2 and 17.17.17.2 are both public IP addresses, so I'm assuming you're accessing everything across public links on the internet.
If that's the case, then no, you won't be able to tell which machine is which on the other side.
To get around it, you can set up a VPN tunnel between the both sites, a link network inside them and static routes on either side to make sure traffic is properly routed on each side. For that to work, you can't have network overlap between the two sites, so 192.168.1.0/24 can't exist anywhere in the head office.
Hmm .. ipsec tunnel is a good idea as well.. but still stuck at permissions i have to set at site_1 firewall for site_2 users... I think it can be done with some effort
Thanks
Rohit
If those 2 lines are lease lines just enable routing.No ned for sdwan just ecmp.
site2
config router static
edit 1
set dst 0.0.0.0/0
set dev wan(xxx)
set gateway 17.17.17.1
next
edit 2
set dst 0.0.0.0/0
set dev wan(xxx)
set gateway 18.18.18.1
next
site 1
config router static
edit 1
set dst 192.168.1.0/24
set dev wan(xxx)
set gateway 17.17.17.2
next
edit 2
set dst 192.168.1.0/24
set dev wan(xxx)
set gateway 18.18.18.2
next
PCNSE
NSE
StrongSwan
emnoc wrote:Hi, Its still not working as desired. Without NAT, site_2 firewall is not allowing traffic to internet but it can ping any server itself. Problem remains same as cannot able to assign permissions at site-1 firewall(webfiler, app control etc) as due to natted ip address i.e., 17.17.17.2 and 18.18.18.2 and not exact ip address of that pc in the range of 196.168.1.x.If those 2 lines are lease lines just enable routing.No ned for sdwan just ecmp.
site2
config router static
edit 1
set dst 0.0.0.0/0
set dev wan(xxx)
set gateway 17.17.17.1
next
edit 2
set dst 0.0.0.0/0
set dev wan(xxx)
set gateway 18.18.18.1
next
site 1
config router static
edit 1
set dst 192.168.1.0/24
set dev wan(xxx)
set gateway 17.17.17.2
next
edit 2
set dst 192.168.1.0/24
set dev wan(xxx)
set gateway 18.18.18.2
next
See, internet feed is not an issue here as routing works perfectly. The issue is with the ip address what published at site_1 firewall for permissions. Hope you understood the need.
Thanks a lot
Rohit
Hi,
I have read through this lengthy problem and I think you first have to be clear what you want.
Questions to ask;
- Do I trust my WAN provider enought not to use IPSEC tunnels between my locations and
- even when I trust them is my data safe? Can anybody get access without my permission?
Second
- You want internet access at site 2 but at the same time all policies going through site 1 which means your internet access has to go through site 1.
I would suggest setup IPSEC tunnels between 2 locations and default route + policies point to first firewall. Let first firewall handle access to internet or intranet.
No need for nat unless you have overlapping IP ranges.
Make sure that on firewall site 1 there is a route back to your firewall at site 2.
If you want to load balance SDWAN is one; you could also use a routing protocol like OSPF that allows you to load balance.
Cheers, Leen
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.