Good evening everyone. I have a question, if it is possible to realize this scene.
We have 2 sites (AeB) in ipvsec vpn. the first site A has class 192.168.0.0 the second B has class 192.168.1.0. In the first site we have another class 192.168.2.0 configured on port2 of the firewall. Is it possible to reach class 192.168.2.0 from Site B?
If with the class you're referring to the overlapping subnet on both the sites then yes you can configure VIP and NAT to achieve this, follow the below link:
Also, by default FortiGate will not allow you to configure an overlapping subnet on Interfaces. Check the below guide.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-subnet-overlap-to-set-IP-addresses-...
Hello and thank you very much for your reply. Indeed it is as I thought, in the sense that in site A I created a Policy with NAT to put the two network classes in communication. But it does not work
But perhaps I have not expressed correctly what is happening. I insert a drawing of the situation
Hi @Fabio74,
Just to clarify on FGT A you have two ports with 192.168.1.0 and 192.168.10.0 and you want to reach, over IPsec 192.168.40.0 who resides behind FGT B. Is that correct?
If it is the case, how does the phase2 looks like? Are there policies that allow the traffic, Are there routes pointing towards those subnets over the tunnel interface?
HI aionescu
Absolutely correct what you say. You understood perfectly. Phase two is 0.0.0.0/24 in local and in remote
Thank
How does the routing looks like? What about the firewall policy?
Please look at the link below and run a debug of the traffic flow to see how the traffic is handeled.
Debugging the packet flow | FortiGate / FortiOS 6.2.12 (fortinet.com)
I must be sincere. I'm ashamed to say it, but I'm not able to do it :(
I managed to debug it. From the 192.168.10.0 network to the 192.168.40.0 network it does not pick up any packets. Nothing, nisba, nada. From 192.168.10.0 to 192.168.1.0, it captures packets regularly. The policy I created is 192.168.10.0 towards vpn B Nat enabled and then the reverse from vpn B to 192.168.10.0 Nat enabled
Consider that the two fortigates A and B communicate perfectly. Even the PCs between them. The class 192.168.10.0 I'm inserting now for need
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.