Hello,
Here is my situation:
1. Firewall FG-200D with three active interfaces, local network, internet and remote locations.
2. Remote locations are on a VPN managed by our provider.
3. Network interface that this VPN is connected has PING enabled.
We are adding one new location, so I have set up the new subnet. That means static route to the specific interface, and adding the new subnet to the groups that the other remote locations belong to. Unfortunatelly, access from local network to new remote subnet is ok, but reverse access from the new subnet to the local network is not working at all. We are not even able to ping the ip address of the firewall network card. Also, nothing from that subnet is logged on the firewall. I have tried everything, I even took a laptop and gave it the ip address that the firewall interface has, and connected it directly to the router, and that laptop can be pinged normally from the remote network.
I hope I have explaned my situation enough. What could be the problem?
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The cli diag debug flow is your friend . Search here for tips on hoot execute. Based on if we are understanding you, traffic is working one-way but traffic originated from the new subnet inbound fails?
Is that a correct assumption?
On the new remote subnet can it ping the firewall address assuming you have ping enable and no or lack trusthost allowance
PCNSE
NSE
StrongSwan
Thank you for the quick answer. No Trusted hosts are configures, Ping is enabled on that interface. I have tried diag debug flow, and also:
diag sniffer packet any ‘icmp and host x.x.x.x’
I seems like the ping does not reach the firewall. But how can that be possible when, using a laptop with the same ip as the firewall interface, the laptop responds to ping requests? i really cannot think of anything else to check...
First of all, sorry for the delay in answering.
Thank you once again for your help, you were correct, the problem was on OpenVPN's side. The traffic arrived NAT'ed on the firewall interface because of a temporary setting that the provider had made. Fortunately, after the fourth time that they said they checked everything, they really checked!
Have a nice week.
Before anything else, the first thing I would do is just sniffing (diag debug sniffer) the interface connected to your provider who does the VPN to see if packets initiated by the remote end is actally arriving at your FG. This would isolate the issue if it's on your FG side or the provider/the remote end. My guess is the latter.
I meant to type (diag sniffer packet). sorry.
Your following the right path, so when you add the laptop in the mix, was the FGT interface configured exactly the same? Do you have a topology diagram of what you have?
PCNSE
NSE
StrongSwan
So, let me try to give some more details:
1. Firewall interface ip is 192.168.3.2/24 (ping enabled) and Router interface ip is 192.168.3.1/24, connected directly.
2. Behind the router there are subnets 10.20.30.0/24 to 10.20.39.0/24, there is a static route for each one on the firewall, one object for each, and one group which contains all the objects. That group is used in 2-3 firewall rules.
3. All subnets can ping the firewall interface ip (192.168.3.2), and also the router can ping it.
4. New remote location is 10.20.40.0/24, added static route, created object and added it to the group.
5. Result: Access from central lan to the new location is ok, both pings, rdp, all the rules seem to work. Access from remote location router or remote location pc is impossible. Remote pc pings router interface (192.168.3.1) but nothing further than that. Traceroutes show expected results, they end just before the firewall interface.
6. First test: Put a switch between firewall and router, connect a laptop, give it 192.168.3.5/24 ip and gateway the router. Pc from remote location can ping it, it can ping the remote pc. Laptop can also ping firewall ip and firewall can ping it.
7. Second test: Disconnect firewall, connect router directly to the laptop and give the laptop 192.168.3.2/24 ip and gateway the router. The laptop can ping the remote pc, the remote pc can ping the laptop, total connectivity.
8. During the tests, I have checked logs and run sniffer/debug commands, all show pings from other locations, pings from the new remote location show up nowhere. Also, I have backed up the configuration and checked the file to see if the exising subnets are mentioned anywhere else than static route, object and group. Nothing.
9. Partner that configures vpn to remote locations has checked vpn configuration, with no luck.
My conclusion from all the above is that the vpn configuration is correct. Am I right or am I missing something? If that is true, what can I check on the firewall?
Two things that might or might not be important. First, the firewall was administered up to last year by somebody that is no longer accesible. This is the first new location that we had to add. And second, when I say router, it is not really a router, but an OpenVPN server/aggregator.
I hope I have made everything clear, if not please feel free to ask. I really appreciate your help.
So back up, when you ran diag commands you stated and I quote
I seems like the ping does not reach the firewall
If the remotes are not getting to the firewall that needs to be fix. Dumb question but was a trace route done both ways ( from central LAN to new Subnet & New Subnet to the Fgt interface)
Are you sure no PBR or packet-cal are in path between fortigate -----router-----new-subnet
As a alternative ( I'm suspecting the router btw ) , is it possible to add a loopback address to this openvpn gw and see if you can source pings from that device directly
e.g ( i'm a unix dude btw ;) )
macbook:~ root# ifconfig lo0 10.20.40.11 netmask 255.255.255.255 alias
macbook:~ root# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 10.20.40.11 netmask 0xffffffff
nd6 options=1<PERFORMNUD>
macbook:~ root#
ping -S 10.20.40.11 192.168.3.2
The src would be some 10.20.40.xxxx address you applied on a virtual interface like a loopback on the openvpn server
Just make sure to unset it afterwards.
;)
Ken
PCNSE
NSE
StrongSwan
FWIW I was bored so I place a diagram of how it would look and using .11 as the guinea-pig
Also if this a openvpn server unix, you could dump on the 192.168.3.1 interface for the ping from the firewall.
e.g
tcpdump -i em0 -nnnn -vvvv host 10.20.40.11 and icmp
Lastly, ensure that the new subnet has reach to the fortigate src-address that comes in . So if SNAT is or is not -involved for the central LAN ensure you have two-way routing
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.