- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Need help forwarding over a VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help forwarding over a VPN
I have a Fortigate 60D at my remote office. I have a IPSec VPN from my remote office to corporate:
Remote network 192.169.1.x
Corporate network 172.16.x.x
This is all working ok.
I have enabled dns-server on my internal interface:
config system dns-server
edit "internal"
set mode recursive
set webfilter-profile ''
next
end
I have a dns zone for the corporate network:
# get
name : corporate
status : enable
domain : corporate.com
type : master
view : shadow
ttl : 10
authoritative : disable
forwarder : "172.16.1.46"
source-ip : 0.0.0.0
allow-transfer :
primary-name : cp-dc01
contact : bbergquist@canoga.com
If I try resolving an entry such as "somehost.corporate.com" using nslookup, it fails.
Nothing seems to be forwarding to the DNS server @ 172.16.1.46.
Just on a whim now, I try pinging 172.16.1.46 from the unit:
FGT60D4615029118 # execute ping 172.16.1.46
PING 172.16.1.46 (172.16.1.46): 56 data bytes
--- 172.16.1.46 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
FGT60D4615029118 #
I can ping this from any workstation on the internal network however.
So I guess how do I setup to do forwarding over the VPN to the corporate network's DNS server? I don't really understand why I cannot ping from the Fortigate unit either.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, I believe I have solved the issue. I needed to set the source-ip to be the internal IP of the firewall which I believe is allowing the request to be properly picked up by the Phase 2 Selectors of the IPSec VPN tunnel to direct the forwarding across the VPN.
I also figured out the ping issue with the
execute ping-options source 192.169.1.1
which again I believe is allowing the request to be mapped by the Phase 2 Selectors of the IPSec VPN tunnel to direct the ping across the VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are correct. The important factor here is traffic initiated by the FortiGate itself or traffic passing through the FortiGate. When traffic is initiated by the FortiGate it will use it's own routing table to look up the destination and then use the IP address of the most nearby interface as it's source. When doing "execute ping 172.16.1.46" it will select the outside IP address as its source, but it cannot send the packet out on the WAN link nor the VPN tunnel as the source does not match. For many things this is worked around on the FortiGate by using the source-ip command, such as DNS, syslog, radius, tacacs. In problematic situations for these kinds of management traffic, it is better to use multiple VDOM's and use root as management VDOM. This is also more secure as management traffic is split off from production. But yea not so useful for these smaller 60D units :)
Related Posts
- VIP Port Forwarding Settings for Mapping... 144 Views
- Switch forwards packets to Fortigates as... 172 Views
- Fortiweb x-forwarded-for IP logging in attack... 93 Views
- Port forward fail 240 Views
- Traffic has not forward to another... 327 Views
Labels
-
FortiGate
6,773 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
426 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
347 -
FortiClient EMS
274 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.