I'm having an issue where our firewall is routing some internal ip addresses out the external public interface instead of across the VPN connection as setup on static routes. Its really weird because its not doing it to all the internal ip connections. Any ideas what would cause this???
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have seen this issue with incorrect NAT. Just my 2 cents.
HI!
Can you post this config?
routing table:
in CLI: get router info routing-table all
Policy Routes:
config router policy
show
end
Firewall Policys:
config firewall policy
show
Bye!
It was a NAT issue. I turned off NAT for external ping and it appears to be working now. We will see if this pops back up over time.
If tunnels with specific routes bound to the local (tunnel) interface go down, often the default route takes over, which would be your WAN port. Once the tunnel comes back up, the existing sessions using WAN1 will not switch back over.
It may help to create a deny policy above the rest that goes something like this:
config firewall address
edit "10_range"
set subnet 10.0.0.0 255.0.0.0
next
edit "172_range"
set subnet 172.16.0.0 255.240.0.0
next
edit "192_range"
set subnet 192.168.0.0 255.255.0.0
end
config firewall addrgrp
edit "Private"
set member "10_range" "172_range" "192_range"
end
config firewall policy
edit 0
set srcintf internal
set dstintf wan1
set srcaddr all
set dstaddr "Private"
set schedule always
set service ALL
set action deny
next
show <--find the policy you just created
move x before y <--the new policy, 'x', should go before your highest policy 'y'. This will kill sessions trying to use the WAN interface while the tunnel is down until the VPN can be restored
end
Regards, Chris McMullan Fortinet Ottawa
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.