- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy route query
Hi
I have a query regarding policy routes. We have a customer whose network is connected to our firewall as in the diagram. Their network overlaps with our own internal network subnets. In order to support our customer, we need to jump onto some servers on their network, say 10.40.1.10. We are using a RDP jump box, located in our DMZ, to jump across onto the customer network. The problem is that if we try and connect to 10.40.1.10 the firewall static route sends us out our internal interface instead of the customer interface. BTW we have devices on 10.40.1.0/24 in our network too but the RDP server doesn’t need to connect to them.
I am thinking about using policy routing to get around this issue on the FortiGate 100E. IS that something I can do, will the policy rule overrule the static route? am I on the right track or will I need to use NAT?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes a policy route does override the routing table so would do what you want.
under Network | policy route
click create new
protocol: any
incoming interface: DMZ
source address: 172.18.26.24/255.255.255.255
destination address: 10.40.1.10/255.255.255.255 (or select address objects)
Action: forward traffic
Outgoing interface: Customer
Gateway address: 10.40.1.1
Enable: yes
You will also need to add a firewall policy to allow the traffic
from DMZ to Customer
Source Destination Service NAT
172.18.26.24 10.40.1.10 RDP No
If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes a policy route does override the routing table so would do what you want.
under Network | policy route
click create new
protocol: any
incoming interface: DMZ
source address: 172.18.26.24/255.255.255.255
destination address: 10.40.1.10/255.255.255.255 (or select address objects)
Action: forward traffic
Outgoing interface: Customer
Gateway address: 10.40.1.1
Enable: yes
You will also need to add a firewall policy to allow the traffic
from DMZ to Customer
Source Destination Service NAT
172.18.26.24 10.40.1.10 RDP No
If you need to access several hosts in the Customer newtork and the jumpbox doesn't need to access the internal 10.40.1.0/24 subnet, then add the subnet 10.40.1.0/24 as the destination in the policy route so that any traffic to that subnet is sent to the customer network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct but you could fix this with a DNAT VIP using one of your address and map to the customer server. Just add a internal dns name and have your users use it.
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for that and the PBR example.
