Hello,
We have an Hub n spoke architecture.
Each spoke (3) can ping networks each other (NAT disabled). When NAT enabled on spoke zone to spoke zone, spokes can't ping each other.
At this time, Internet access on spoke sites pass throught their Internet connection (WAN interface on each spokes)
We want to pass Internet access throught HUB to manage all Internet Policies from the HUB.
Is it possible?
Thanks.
Regards.
Waaalex.
Solved! Go to Solution.
yes, that is possible.
some things to consider.
you need to set your default route to the VPN. but dont forget the put a static route to the VPN IP of the hub to the ISP gateway else you loose your connection.
your phase2 will have to contain the 0.0.0.0/0 as destination as you will have to encrypt all addresses.
Thank you very much, i finally understood what to do :
Summary :
On the HUB : VPN Phase 2 0.0.0.0/0.0.0.0 local and remote (to adapt if there is several phase 2, 0.0.0.0 for local only)
Create a policy ZONE_VPN TO WAN with Internet access allowed (NAT)
ON THE SPOKE : Route to HUB public address through SPOKE ISP
VPN Phase 2 0.0.0.0/0.0.0.0 local and remote (to adapt if there is several phase 2, 0.0.0.0 for remote only)
Default route to ZONE VPN and Blackhole (admin distance 254 for blackhole)
Create a policy LAN to ZONE with ALL access
We can deny some VLAN as well.
Thank you very much for help. I m not a network specialist (much more system).
Forti Forever ;)
Regards,
Alex.
nice, thanks for sharing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.