Hi,
we have a routing problem and maybe I can get some helpful ideas.
We have a MPLS network with 128.X.0.0/16 in all offices. In Office ABC we have a router from the ISP with 128.X.20.0/24 and behind a FG HA with LAN 192.168.30.0/24. So we route all the traffic to the router IP 128.X.20.1.
The situation is that from our headquarter Azure environment we have a VPN to our main FG Cluster with the route for the network 128.X.0.0/16. From there we route via MPLS to ABC without NAT so that we can see source IPs 192.168.30.X. So this is working just fine.
Now, the problem is that we want to print from Azure to the printers in ABC 192.168.30.100 and since the Headquarter Firewall routes only 128.X.0.0/16 we have a problem. Also since they have another company which uses 192.168.0.0/16, they have with them a VPN for all this network.
We only need from one server in this Azure Network that can connect to our 192.168.30.100 host.
Any ideas or suggestions?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello RolandBaumgaertner72,
As far as i understand you have topology like this one bellow :
Azure_HQ <-IPsec-> Fortigate_Main_location <--MPLS--128.x.0.0/16--> <ABC_location_128.x.20.0/24> <--local_LAN--> 192.168.30.0/24.
The goal is to establish session (TCP or UDP) from Azure_HQ to ABC_location for destination 192.168.30.x ?
You can try to do a DNAT/VIP on ABC_Location and map 128.x.20.x/24 to 192.168.30.0/24. Let's say the WAN of ABC_location is 128.x.20.1 and you can MAP it to 192.168.30.30.
From Azure_HQ you have a route for 128.x.20.1 via the IPsec tunnel, then that traffic will be forwared throught MPLS to ABC_location, after that VIP/DNAT will do the translation from 128.x.20.1 to 192.168.30.30.
Best regards,
Fortinet
Hi,
this is what I tried. I configured a VIP on the MPLS interfae with NAT for 128.X.20.7 and mapped it to the internal printer 192.168.30.30 with port forwarding 9100. Now I can telnet 128.X.20.7 to the printer and connect via 9100.
BUT it is not printing. On the web on the printer in the LAN I get completed but it is not printing. I think the VIP and the communication is OK now but still no idea why the printer is not printing. Testing it on the LAN it works fine.
Thanks!
Hello,
You can try to do a sniffer and debug flow for the source IP address of the PC behind the Azure:
SSH No1:
diagnose debug reset
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow filter saddr x.x.x.x <--- where x.x.x.x is the IP address of the source PC
diagnose debug console timestamp enable
diagnose debug flow trace start 10000
diagnose debug enable
SSH No2 :
diagnose sniffer packet any "host x.x.x.x " 4 0 l <-- where x.x.x.x is the IP address of the source PC
So you can see if the printer requires more ports to be opened .
Best regards,
Fortinet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.