Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ssn179
New Contributor

how to route traffic initiated from location to location C via location B on Fortigate?

Hi, We have requirement to setup the connectivity on Fortigate as below: 1) We have our office in Country A and Country B. 2) We need to access a third party application hosted in Country C for which connectivity has been allowed by the third party application owner by whitelisting of Country B Fortigate WAN IP. 3) Our application hosted on servers hosted behind firewall in Country A has to access the application hosted in Country C via/through Country B firewall. Flow will be like: Request will be initiated by Country A servers towards the Country B firewall and then Country B firewall has to route the request to the Country C third party application using Country B firewall wan IP (because wan ip is whitelisted by application owner).

Kindly please advise how to achieve this and what configuration is required on our Country A, Country B Fortigate firewall. As of now there is no connectivity established between Country A and Country B firewall.

1 Solution
Toshi_Esumi
Esteemed Contributor III

Looks correct once you put the static route for D.D.D.D/32 and 172.20.200.0/24 toward the tunnel at FGT-A. Then for 10.10.10.0/24 toward the tunnel at FGT-B. 

View solution in original post

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

Set up a site-to-site vpn for the application's final destination(s), then route it through the tunnel without NAT. Once the traffic reached the Country B location, it will be NATed to go out to the internet toward the provider.

ssn179

@toshiesumi,

Can you please advise the IPsec Configuration on both the firewalls under phase-2 hosts? And also the IPv4 policies & routes to be added if any.

Appreciate your kind help please.

ssn179

toshiesumi

Can you please advise on the Phase-2 host parameters on both the country A & B firewalls? Also, please advise if there any routes to be added and what IPv4 policy i should added?

Appreciate your help please.

Toshi_Esumi
Esteemed Contributor III

Say the third party destination is D.D.D.D/32. If you're using CLI, I would just leave phase2 selector as 0/0<->0/0 but set a static route D.D.D.D/32 to the tunnel interface without GW. Adjust the policy at least from internal at A to the tunnel to limit the destination to D.D.D.D/32. If the third party side need to initiate sessions you need to have another policy for the opposite direction. Of course B side needs to have the same set of policies accordingly.

Then, finally make sure the internet NAT policy at B needs to allow traffic from A. 

ssn179

toshiesumi

Please make me correct in below configuration which i prepared to consider limited traffic allowed from the country A firewall.

Country A firewall ------------------

1) Create Address: Third party (D.D.D.D/32) on VPN interface. 2) IPsec Phase-2:

Local host: let's say 10.10.10.0/24

Remote host: Country B f/w LAN(172.20.200.0/24) + Third party address created above in step 1.

3) Update IPsec VPN policy towards Country B firewall with third party address in the destination.

 

Country B firewall ------------------

1) Create Address: Third party (D.D.D.D/32) on wan interface. 2) IPsec Phase-2:

Local host: let's say 172.20.200.0/24 + Third party address created above in step 1.

Remote host: Country A LAN subnet: 10.10.10.0/24

3) Update IPsec VPN IPv4 policy with below:

source: Country A LAN, incoming interface: VPN interface

Destination: Third party address, Destination interface: wan

service any

NAT enabled-yes

 

Default static route exist for all:

Destination: 0.0.0.0/0, G/W- ISP g/w and interface-WAN.

 

4) Do i need to configure static route for the IPsec VPN as well like:

Destination: Third party address D.D.D.D/32, interface- either ipsec_tunnel or wan?

 

Kindly please check and confirm.

 

 

 

Toshi_Esumi
Esteemed Contributor III

Looks correct once you put the static route for D.D.D.D/32 and 172.20.200.0/24 toward the tunnel at FGT-A. Then for 10.10.10.0/24 toward the tunnel at FGT-B. 

ssn179

toshiesumi

Thanks buddy, we are testing it internally. Thanks once again for your help and prompt advise.

Labels
Top Kudoed Authors