Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johntampac
New Contributor

Created on ‎12-13-2017 03:31 AM

Route from 1 Site to Site to another Site to Site

Dear All,

 

It's my first time to make a post. I've been using this forum as references concerning my day to day administration of our FortiGate devices. This forum has been informative and I hope I could contribute and be able to help others. Right now I, have some problem with my fortigate. I've been struggling with it for a while and I think it's time to seek help. I encourage anyone to jump in and join the discussion.

 

This my scenario:

 

We have 2 offices, Head Quarters and a remote branch. These two sites are connected with IPsec Site to Site vpn. Servers and services in the HQ are accessed by the remote branch using this vpn. Recently we acquired Azure services. We placed some of the servers in azure. HQ and Azure have a route based site to site vpn connection. So servers in azure are accessible in HQ. My problem is with the remote branch, it cannot access the servers in Azure. Although this can be resolved by creating a site to site vpn between Azure and remote branch but, management is reluctant in doing that as it involves another cost. To resolve this problem, I was thinking of using the existing vpn  tunnel of JHO and Azure. So basically access from remote branch will pass through the vpn tunnel to HQ and then pass to the vpn tunnel to Azure (please see illustration in red line). Can someone please give me the direction on how to achieve this, or if this even possible with my current Fortigate devices.

 

HQ Fortigate Device: FG 200E

Remote Branch Fortigate Device: FG 50E

 

Network illustration

 

Preview file
37 KB
Labels:
3491
0 Kudos
2 REPLIES 2
mahesh_secure
Contributor

Created on ‎12-14-2017 02:47 AM

Hi john

 

please follow the below step.

 

1. add a new route in your branch firewall.

    destination --> Azure local ip ( eg: 10.30.0.0/24)

    device -->vpn tunnel to HO

    distance --> any

 

2. Create a new Ip pool with any free IP from HQ ip range in HQ firewall ( if HQ ip is 192.168.0.0/24 then create a new ip pool with 192.168.0.254). IP pool can create under firewall-->ippool

3. create a policy in HO firewall from Branch(fortigate 50E) VPN interface to Azure VPN interface and enable NAT with Dynamic and point created NAT ip pool

 

now when you try to access the Azure address from branch it will route through ipsec tunnel and traffic will pass with HQ ip (192.168.0.254) which is trusted by Azure.

 

 

please check and update.

 

 

Regards

Mahesh

 

909
0 Kudos
arun_s_sharma17
New Contributor
In response to mahesh_secure

Created on ‎05-29-2018 08:35 AM

It not working, can anyone do it live

909
0 Kudos
Labels
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.