Hi All,
I have setup an IPsec VPN to Azure VWAN based on the FortiNet Cookbook article.
Cookbook | FortiGate / FortiOS 6.2.11 | Fortinet Documentation Library
It is working, and BGP is Advertising routes from the Internal LAN to Azure and vice versa.
My problem is that, when connecting to the FortiGate using the SSL VPN, I cannot use services hosted in Azure. Azure does not have a route back to my VPN IP range. I assume this is because the VPN pool is not considered an Internal Network.
I think the way to solve this is to create a new VLAN on the LAN side (which will be advertised via BGP) and use NAT from the VPN Pool to the LAN network.
Is this the correct approach to solve this problem? If so, could someone point me in the correct direction as to how to do this?
Regards,
Rob.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Dear Rob.
Hope you are doing well.
So basically you are unable to access the AZURE lan subnet from the fortigate SSL VPN users?
Could you please try the below and check if this helps?
Create a policy From Fortigate SSL VPN interface(As incoming interface) to AZUER VPN interface(As outgoing interface) , allow source ,destination and services.
Enable the NAT and create a dynamic address (You can use your fortigate LAN address as NAT address) and save the policy.
After that try to access the azure LAN site.
The above policy basically sends the packet with Fortigate LAN address as the source, and since the AZure already has a route to reach the Fortigate LAN the traffic will be routed back.
Please let me know if you have any queries.
Dear Rob.
Hope you are doing well.
So basically you are unable to access the AZURE lan subnet from the fortigate SSL VPN users?
Could you please try the below and check if this helps?
Create a policy From Fortigate SSL VPN interface(As incoming interface) to AZUER VPN interface(As outgoing interface) , allow source ,destination and services.
Enable the NAT and create a dynamic address (You can use your fortigate LAN address as NAT address) and save the policy.
After that try to access the azure LAN site.
The above policy basically sends the packet with Fortigate LAN address as the source, and since the AZure already has a route to reach the Fortigate LAN the traffic will be routed back.
Please let me know if you have any queries.
Thank you ever so much. That worked perfectly.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.