Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NetFire
New Contributor

Created on ‎06-15-2017 08:06 AM

Routing Traffic between Two Site to Site VPN Tunnels

Hello,

 

this is my first post. I thank the administrators for accepting my request.

 

I come straight to the point.

 

My goal: reach and install a printer (192.168.0.246/32) which is "two FGT ahead" (from 192.168.177.0/24)

 

My scenario:

[ul]
  • FGT60C (192.168.177.0/24) - Admin Access
  • FGT100A (10.1.0.0/24) - Admin Access
  • FGT60D (192.168.0.0/24) - NO Admin Access[/ul]

    ALL VPN WORKS.

    I have admin access only on FGT60C (192.168.177.0/24) and FGT100A (10.1.0.0/24).  No admin for FGT60D (192.168.0.0/24).

    It's an atypical set-up, but I found configured and working VPN from FGT100A to FGT60D and I can't touch it.

    For the moment, I can reach the printer (obviously) only from 10.1.0.0/24. 

     

    In other words, I want to route IP 192.168.0.246/32 (somehow) from FGT60C to FGT60D using FGT100A as "brigde" between two VPN, so I can reach the printer (192.168.0.246/32) from 192.168.177.0/24.

    I've tried policy routes, policy firewall, nothing. I'm convinced that is escaping me something.

     

    My actual conf:

    FGT60C - FW Policy FROM/TO 192.168.177.0/24 192.168.0.246/32 - Interfaces: VPN/Internal and viceversa

    FGT100A - FW Policy FROM/TO 192.168.177.0/24 192.168.0.246/32 - Interfaces: VPN/Internal and viceversa

     

    If I execute traceroute 192.168.0.246 from FGT 60C CLI, it stops after VPN, ie, it reaches the 86.2.50.60, and then stops. 

     

    That's all. I hope to have been clear, my English is a bit evanescent

     

    Thank you very much for your availability.

     

     

     

    • 8167
    0 Kudos
    5 REPLIES 5
    EMES
    Contributor

    Created on ‎06-15-2017 08:13 AM

    What if you NAT the traffic

     

    Use an IP Pool to hide the original source from 192.168.177.0 to something in the 10.1.0.0/24 network. This would happen on the Firewall with the 10.1.0.0 network. The policy would be

     

    Srcinterface : vpn from FGT60C 

    Dstinterface : vpn to FGT60D

    Source : 192.168.177.0/24

    Destination : 192.168.0.0/24

    service : any

    NAT : Enabled

    IP pool configuration : Use dynamic IP Pool

     

    Your IP Pool would be set to overload and the ip set to a 10.1.0.0/24 IP (Unused of course)

     

     

    2761
    0 Kudos
    NetFire
    New Contributor
    In response to EMES

    Created on ‎06-15-2017 08:59 AM

    You are great!!!

    It worked at first shot

     

    Thank you so much

     

     

    2761
    0 Kudos
    NetFire
    New Contributor
    In response to NetFire

    Created on ‎06-15-2017 11:02 AM

    Probably something went wrong.

    For a distraction, I entered 10.1.0.0/24 rather than 10.1.0.[UnusedIP].

    It 'possible that this has caused an IP conflict between the locally connected machines?

     

    Thanks for your reply

    2761
    0 Kudos
    EMES
    Contributor
    In response to NetFire

    Created on ‎06-16-2017 07:17 AM

    Yes that would break connections between the 10.1.0.x/24 subnet to FGT60D

    2761
    0 Kudos
    NetFire
    New Contributor

    Created on ‎06-16-2017 08:02 AM

    Many thanks, at least I know that this problem is due to this setting

     

     

    2761
    0 Kudos
    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.