- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Passing traffic from a remote office to the main office and then to a 3rd party
A IPSEC tunnel is already working from the main office to the Web App (3rd Party). What we need is traffic destined for the third party to pass through the main office from the remote office, which already is using an IPSEC tunnel for traffic to the main office. The company has only paid for 1 VPN tunnel, so I can't go directly from the remote office. I would appreciate any help. If more information/images are required, please let me know.
Both the remote and main office firewalls are using Firmware v7.2.5 build1517 (Feature)
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can't change the VPN configurations in the 3rd party side and if it's configured to reach only one subnet than a solution could be to NAT the requests coming from the Remote office using one of the IP of the Main office.
If you have found a solution, please like and accept it to make it easily accessible for others.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FTAdmin,
You will need to add 3rd party and remote office networks to phase2 selectors of IPsec tunnels and create firewall policies to allow traffic between 3rd party and remote office tunnels.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit the phase 2 selectors of the main office IPsec tunnel to the 3rd party to include the remote office network the workstations are using?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@FTAdmin You need to follow steps as below:
1. You need to add 3rd party address in phase-2 selectors of main firewall if that traffic is behind main firewall
2. You can configure SNAT/DNAT for this traffic to moved traffic from main to third party web app if traffic is doing NATing after hitting to main firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @FTAdmin ,
1) The Web App (3rd Party) IP has to be part of the remote for the Selector in phase 2 settings of the IPSec VPN between Remote Office FGT and Main Office FGT. If it is 0.0.0.0/0.0.0.0, you may skip this step.
2) On the Main Office FGT, the Remote Office subnet needs to be part of the local for the Selector in Phase2 settings of the IPSec VPN to the Web App. Make sure that the selector settings are matching on the Main Office and Web App.
3) I assume that the IPSec VPNs are both Interface-based. You need to create two firewall policies on Main Office FGT to allow traffic between those two IPSec VPN tunnels (using the IPSec VPN tunnel interfaces as source/destination Interfaces).
4) If Web App side does not have the Remote Office subnet as a part of the remote in Selector settings for Phase 2 settings and they do not want to modify the Selector settings, you may consider enabling NAT in the above firewall policy in Step 3.
Jerry