- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Routing Problem - Any Suggestions
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing Problem - Any Suggestions
Hi,
we have a routing problem and maybe I can get some helpful ideas.
We have a MPLS network with 128.X.0.0/16 in all offices. In Office ABC we have a router from the ISP with 128.X.20.0/24 and behind a FG HA with LAN 192.168.30.0/24. So we route all the traffic to the router IP 128.X.20.1.
The situation is that from our headquarter Azure environment we have a VPN to our main FG Cluster with the route for the network 128.X.0.0/16. From there we route via MPLS to ABC without NAT so that we can see source IPs 192.168.30.X. So this is working just fine.
Now, the problem is that we want to print from Azure to the printers in ABC 192.168.30.100 and since the Headquarter Firewall routes only 128.X.0.0/16 we have a problem. Also since they have another company which uses 192.168.0.0/16, they have with them a VPN for all this network.
We only need from one server in this Azure Network that can connect to our 192.168.30.100 host.
Any ideas or suggestions?
Thanks!
Labels:
- Labels:
-
FortiGate
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello RolandBaumgaertner72,
As far as i understand you have topology like this one bellow :
Azure_HQ <-IPsec-> Fortigate_Main_location <--MPLS--128.x.0.0/16--> <ABC_location_128.x.20.0/24> <--local_LAN--> 192.168.30.0/24.
The goal is to establish session (TCP or UDP) from Azure_HQ to ABC_location for destination 192.168.30.x ?
You can try to do a DNAT/VIP on ABC_Location and map 128.x.20.x/24 to 192.168.30.0/24. Let's say the WAN of ABC_location is 128.x.20.1 and you can MAP it to 192.168.30.30.
From Azure_HQ you have a route for 128.x.20.1 via the IPsec tunnel, then that traffic will be forwared throught MPLS to ABC_location, after that VIP/DNAT will do the translation from 128.x.20.1 to 192.168.30.30.
Best regards,
Fortinet
.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
this is what I tried. I configured a VIP on the MPLS interfae with NAT for 128.X.20.7 and mapped it to the internal printer 192.168.30.30 with port forwarding 9100. Now I can telnet 128.X.20.7 to the printer and connect via 9100.
BUT it is not printing. On the web on the printer in the LAN I get completed but it is not printing. I think the VIP and the communication is OK now but still no idea why the printer is not printing. Testing it on the LAN it works fine.
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can try to do a sniffer and debug flow for the source IP address of the PC behind the Azure:
SSH No1:
diagnose debug reset
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow filter saddr x.x.x.x <--- where x.x.x.x is the IP address of the source PC
diagnose debug console timestamp enable
diagnose debug flow trace start 10000
diagnose debug enable
SSH No2 :
diagnose sniffer packet any "host x.x.x.x " 4 0 l <-- where x.x.x.x is the IP address of the source PC
So you can see if the printer requires more ports to be opened .
Best regards,
Fortinet
.
Related Posts
- SDWAN Rules not loading. Circle of... 97 Views
- Two different websites (domains) on two... 107 Views
- BGP Peering - My Fortigate -... 238 Views
- Policy based routing to IPsec tunnel 184 Views
- FortiClient connects but only receives 33... 561 Views
Labels
-
FortiGate
6,531 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.