Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Scott_Thomson
New Contributor

Created on ‎03-03-2014 08:54 AM

Virtual IP from site1 to site2 over VPN link

I have a number of sites connected via site-to-site interface-based VPN tunnels. The connections are via a fiber network that we don' t control the inbound internet traffic on. I have one site that also has a DSL link on WAN2. What I' d like to be able to do is create a virtual IP on this unit (site1) to direct traffic (lets say p80) to a system on the LAN of site2. p80->WAN2/site1->V-IP (p80, LAN2-IP/site2)->[VPN]->WAN1/site2->LAN2-IP Is this possible? I' ve tried to create a virtual IP as I normally would for a local ' site1' IP, but I think I' m running into an issue with the ' mapped IP' being in the remote ' site2' subnet. I' ve tried creating my FW policies such that: a) SRCIFC = WAN2 SRCADD = All DESTIFC = WAN1 DESTADD = V-IP (with IP that is part of site2 LAN) b) SRCIFC = WAN2 SRCADD = All DESTIFC = SITE2-Phase1 (VPN ifc linked to WAN1) DESTADD = V-IP (with IP that is part of site2 LAN) Any insight or recommendations?
4051
0 Kudos
4 REPLIES 4
Scott_Thomson
New Contributor

Created on ‎03-10-2014 10:53 AM

I' ve collected some info via debug flow, hopefully this will help in making things clearer: The firewall rule is as such: SRCIFC = WAN2 SRCADD = All DESTIFC = INTERNAL DESTADD = VirtualIP (10.193.128.18, mapping p9110 to 9100) Debug output: XXX-FW1 # id=13 trace_id=10 msg=" vd-root received a packet(proto=6, [external src IP]:64687->[WAN2-IFC-IP]:9110) from wan2." id=13 trace_id=10 msg=" allocate a new session-0052fdad" id=13 trace_id=10 msg=" find SNAT: IP-10.193.128.18(from IPPOOL), port-9100" id=13 trace_id=10 msg=" VIP-10.193.128.18:9100, outdev-wan2" id=13 trace_id=10 msg=" DNAT [WAN2-IFC-IP]:9110->10.193.128.18:9100" id=13 trace_id=10 msg=" find a route: gw-10.193.128.18 via STD-Phase1" id=13 trace_id=10 msg=" Denied by forward policy check" I understand that the ' Denied by forward policy check' means I' m hitting a DENY rule (implicit or otherwise), but is there any way to determine which one?
2133
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-10-2014 11:25 AM

Denied by forward policy check"
Actually it means one of three things; No firewall policy matching the traffic that needs to be routed or forwarded by the FortiGate (Traffic will hit the Implicit Deny rule) The traffic is matching a DENY firewall policy The traffic is matching a ALLOW firewall policy, but DISCLAIMER is enabled, in this case, traffic will not be accepted unless end user will accept the HTTP disclaimer purposed by Fortigate while browser external site. Now back to what your doing, can you draft a clear map of the topology? I' m still scratching my head trying figuring out what your trying to do. Maybe a simple topodrawg and w/quick note on the drawing, will steer someone else into chime on a better or simpler way to get what you want. But what I gather you want to DNAT some ip_address with port-forward on port 80. My 1st question what or why would you need this over a vpn mesh? How do you have the phase2 proposal set ( take into consideration the DNAt and possible SNAT ) ? is this a route-based vpn ? And on this;
but I think I' m running into an issue with the ' mapped IP' being in the remote ' site2' subnet.
That might now work as you concluded unless we are missing something else.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2133
0 Kudos
Scott_Thomson
New Contributor
In response to emnoc

Created on ‎03-11-2014 08:20 AM

Thanks for the reply. I' ve attached a <very basic> diagram of what I' m trying to accomplish. Environment: - 5 sites connected via site-to-site IPSec tunnels on their WAN1 IFCs, configured in interface mode. We can access the internet via the fiber network that backs these links, but we don' t control the gateway, so we can' t route traffic into our sites via it. - Site1 also has DSL internet which we can route traffic in on - We' d like to be able to direct traffic from certain inbound ports on WAN2/Site1 to systems located in other sites. In this example, to 10.193.128.18/Site2
Preview file
35 KB
2133
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎03-11-2014 01:40 PM

I never seen that done that way. One of the biggest problem would be multiples of SRCs that hits your VIP external ip_address unless they are hidden behind a ip_pool of some sort, or all default is routed over the vpn, that that could be a problem A vip mapped address doesn' t need to be local to a firewall btw; So a cfg like this ; config firewall vip edit " VIP_20-001" set extip 142.x.x.20 set extintf " wan2" set mappedip 10.193.128.20 next When you do that and run diag debug flow, what do you get? ( I' m curious ) As alternative, could you just run GRE tunnels between all sites and try them like a WAN link? And you topo did clear up any confusion

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2133
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.