- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to route traffic initiated from location to location C via location B on Fortigate?
Hi, We have requirement to setup the connectivity on Fortigate as below: 1) We have our office in Country A and Country B. 2) We need to access a third party application hosted in Country C for which connectivity has been allowed by the third party application owner by whitelisting of Country B Fortigate WAN IP. 3) Our application hosted on servers hosted behind firewall in Country A has to access the application hosted in Country C via/through Country B firewall. Flow will be like: Request will be initiated by Country A servers towards the Country B firewall and then Country B firewall has to route the request to the Country C third party application using Country B firewall wan IP (because wan ip is whitelisted by application owner).
Kindly please advise how to achieve this and what configuration is required on our Country A, Country B Fortigate firewall. As of now there is no connectivity established between Country A and Country B firewall.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks correct once you put the static route for D.D.D.D/32 and 172.20.200.0/24 toward the tunnel at FGT-A. Then for 10.10.10.0/24 toward the tunnel at FGT-B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set up a site-to-site vpn for the application's final destination(s), then route it through the tunnel without NAT. Once the traffic reached the Country B location, it will be NATed to go out to the internet toward the provider.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please advise the IPsec Configuration on both the firewalls under phase-2 hosts? And also the IPv4 policies & routes to be added if any.
Appreciate your kind help please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please advise on the Phase-2 host parameters on both the country A & B firewalls? Also, please advise if there any routes to be added and what IPv4 policy i should added?
Appreciate your help please.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Say the third party destination is D.D.D.D/32. If you're using CLI, I would just leave phase2 selector as 0/0<->0/0 but set a static route D.D.D.D/32 to the tunnel interface without GW. Adjust the policy at least from internal at A to the tunnel to limit the destination to D.D.D.D/32. If the third party side need to initiate sessions you need to have another policy for the opposite direction. Of course B side needs to have the same set of policies accordingly.
Then, finally make sure the internet NAT policy at B needs to allow traffic from A.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please make me correct in below configuration which i prepared to consider limited traffic allowed from the country A firewall.
Country A firewall ------------------
1) Create Address: Third party (D.D.D.D/32) on VPN interface. 2) IPsec Phase-2:
Local host: let's say 10.10.10.0/24
Remote host: Country B f/w LAN(172.20.200.0/24) + Third party address created above in step 1.
3) Update IPsec VPN policy towards Country B firewall with third party address in the destination.
Country B firewall ------------------
1) Create Address: Third party (D.D.D.D/32) on wan interface. 2) IPsec Phase-2:
Local host: let's say 172.20.200.0/24 + Third party address created above in step 1.
Remote host: Country A LAN subnet: 10.10.10.0/24
3) Update IPsec VPN IPv4 policy with below:
source: Country A LAN, incoming interface: VPN interface
Destination: Third party address, Destination interface: wan
service any
NAT enabled-yes
Default static route exist for all:
Destination: 0.0.0.0/0, G/W- ISP g/w and interface-WAN.
4) Do i need to configure static route for the IPsec VPN as well like:
Destination: Third party address D.D.D.D/32, interface- either ipsec_tunnel or wan?
Kindly please check and confirm.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks correct once you put the static route for D.D.D.D/32 and 172.20.200.0/24 toward the tunnel at FGT-A. Then for 10.10.10.0/24 toward the tunnel at FGT-B.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks buddy, we are testing it internally. Thanks once again for your help and prompt advise.
