A IPSEC tunnel is already working from the main office to the Web App (3rd Party). What we need is traffic destined for the third party to pass through the main office from the remote office, which already is using an IPSEC tunnel for traffic to the main office. The company has only paid for 1 VPN tunnel, so I can't go directly from the remote office. I would appreciate any help. If more information/images are required, please let me know.
Both the remote and main office firewalls are using Firmware v7.2.5 build1517 (Feature)
If you can't change the VPN configurations in the 3rd party side and if it's configured to reach only one subnet than a solution could be to NAT the requests coming from the Remote office using one of the IP of the Main office.
Hi @FTAdmin,
You will need to add 3rd party and remote office networks to phase2 selectors of IPsec tunnels and create firewall policies to allow traffic between 3rd party and remote office tunnels.
Regards,
Edit the phase 2 selectors of the main office IPsec tunnel to the 3rd party to include the remote office network the workstations are using?
@FTAdmin You need to follow steps as below:
1. You need to add 3rd party address in phase-2 selectors of main firewall if that traffic is behind main firewall
2. You can configure SNAT/DNAT for this traffic to moved traffic from main to third party web app if traffic is doing NATing after hitting to main firewall
Hi @FTAdmin ,
1) The Web App (3rd Party) IP has to be part of the remote for the Selector in phase 2 settings of the IPSec VPN between Remote Office FGT and Main Office FGT. If it is 0.0.0.0/0.0.0.0, you may skip this step.
2) On the Main Office FGT, the Remote Office subnet needs to be part of the local for the Selector in Phase2 settings of the IPSec VPN to the Web App. Make sure that the selector settings are matching on the Main Office and Web App.
3) I assume that the IPSec VPNs are both Interface-based. You need to create two firewall policies on Main Office FGT to allow traffic between those two IPSec VPN tunnels (using the IPSec VPN tunnel interfaces as source/destination Interfaces).
4) If Web App side does not have the Remote Office subnet as a part of the remote in Selector settings for Phase 2 settings and they do not want to modify the Selector settings, you may consider enabling NAT in the above firewall policy in Step 3.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.