I'm working with a remote client - they are replacing a Cisco ASA managed by their ISP with a new Fortigate200E cluster.
The current ASA is on an internet circuit that will also be retired. We have no access to the Cisco ASA outside of making requests to the third part.
The Fortigate cluster is connected to a new circuit and I have full access to it.
The client has 3 different VPN tunnels to a 3rd party that serve different purposes. They are direct public-to-public VPNs and no private networks specified. The 3rd party uses 3 different NATs on the Cisco to access an AS/400 server. These NATs are accessed through the VPN tunnels and are the same Public IP to same private, with 3 different ports being accessed.
I met with the 3rd party and they can only cutover one of the NATs to the new Fortigate cluster at a time.
The Cisco/ASA is their current default gateway at 10.103.202.44. They also have a DMZ interface to a 192.168.* network and their internet connection.
What is the best way we can have this coexist for the week that they need to coexist (the change windows for the 3 VPNs are on different days/times over the next week)?
Our current thought is, the fact they are NATs, is actually an advantage -> they all NAT to the same internal IP of 10.103.202.50, just different TCP ports. This means they should be able to coexist. Move each VPN one by one to the Fortinet and each NAT one by one. Our only concern is the default gateway.
Current plan is to have the third party change the interface IP on the Cisco to .1, and have the Fortigate become the .44 IP/Default Gateway. This way - all current servers, etc, should still maintain their access and the NATs on the Cisco will continue to work till they are fully cutover to the Fortigate.
Does this make sense? Is there something I've overlooked?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sounds good from what you stated, just that the client routing has to know the VPN dst.addr is to be reached by the FGT cluster
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.