Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unable to ping beyond default gateway on new Internet connection
I have a Fortigate 200B with the latest 4.0 firmware.
We use muiltiple Internet connections, two PPPoE connections that work just fine, and one new manual connection that I can' t get to work. I feel like I must be missing something really simple/stupid.
The connections that are working:
Port 13 (DSL01) - DHCP
63.231.68.142 / 255.255.255.255 Gateway: 207.225.112.6
Port 14 (DSL02) - DHCP
216.160.163.168/255.255.255.255 Gateway: 207.225.112.2
The connection that isn' t working:
Port 15 (EoCu) - Manual
63.232.194.114/255.255.255.248
Static routes:
Device distance priority gateway ip/mask
Port 13 10 5 0.0.0.0 0.0.0.0/0.0.0.0
port 14 10 5 0.0.0.0 0.0.0.0/0.0.0.0
port 15 10 5 63.232.194.113 0.0.0.0/0.0.0.0
Static Settings:
port 13 ping server 4.2.2.1
port 14 ping server 4.2.2.2
port 15 ping server 63.232.194.113
Routing monitor shows:
type network distance gateway interface
static 0.0.0.0/0 5 207.225.112.2 PPP1
static 0.0.0.0/0 5 207.225.112.6 PPP2
(no other static entries are listed for any interfaces)
connected 63.231.68.142/32 0 0.0.0.0 PPP2
connected 63.232.194.112/29 0 0.0.0.0 Port 15
connected 207.225.112.2/32 0 0.0.0.0 PPP1
connected 207.225.112.6/32 0 0.0.0.0 PPP2
connected 216.160.163.168/32 0 0.0.0.0 PPP1
(why isn' t my static route default gateway listed for port 15???)
From the firewall console:
exec ping 63.232.194.113 comes back fine
exec ping 207.109.53.142 does not come back
When I connected my laptop to the same connection as port 15 I configured it like this:
IP: 63.232.194.114
Subnet mask: 255.255.255.248
Default gateway: 63.232.194.113
With that configuration, I am able to ping 207.109.53.142 from my laptop.
What am I missing???
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get when you " exec traceroute 207.109.53.142" from the Fortigate?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exec traceroute 207.109.53.142I think it goes out over one of the other connections:
IASLC-FW01 # exec traceroute 207.109.53.142 traceroute to 207.109.53.142 (207.109.53.142), 32 hops max, 72 byte packets 1 207.225.112.2 <hlrn-dsl-gw02.hlrn.qwest.net> 38.313 ms 37.918 ms 39.709 ms 2 71.217.188.13 <hlrn-agw2.inet.qwest.net> 37.788 ms 37.658 ms 37.722 ms 3 67.14.24.17 <dvr-core-01.inet.qwest.net> 38.925 ms 39.289 ms 39.080 ms 4 67.14.24.93 <dvr-edge-13.inet.qwest.net> 38.596 ms 38.563 ms 38.373 ms 5 * * * ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked off the " NAT" checkbox in that policy? Any policy facing the Internet needs that checked if your inside IP addresses are in the private (RFC 3330) range.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, NAT is checked and using destination interface IP address in all outbound rules.
Correct me if I' m wrong, but I shouldn' t even need a rule to be able to ping 1 hop beyond my default gateway from the firewall console, right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: BraddyJ Yes, NAT is checked and using destination interface IP address in all outbound rules. Correct me if I' m wrong, but I shouldn' t even need a rule to be able to ping 1 hop beyond my default gateway from the firewall console, right?You are correct. I missed the console part of the post. Perhaps you need to set the ping options in the unit to use the IP associated with that port...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes that' s correct. Have you ran' d the diag debug flow and either packet sniffer. if your doing traceroute, it' s should be udp and with a high # udp-port incrementing per-hop.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not tried that, and to be honest I' m not sure how. Cound you provide some steps to follow please?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, NAT is checked and using destination interface IP address in all outbound rules.Is Port15 showing any traffic at all? Duplex/speed set to auto or forced? (" debug hardware deviceinfo nic port15" ) Any router policy configured? Considering all routes being equal, wouldn' t the fgt pick either the lowest port# or use odd/even, etc. when choosing a route path?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Debug hardware deviceinfo nic port15" returns " Unknown action 0"
Here is the output from get hardware nic port15:
IASLC-FW01 # get hardware nic port15
Driver Name: NP2
Version: 0.92
Chip Revision: 2
BoardSN: ��^8FModule Name: 200B-256
DDR Size: 256 MB
Bootstrap ID: 18
PCIX-64bit-@133MHz bus: 02:00.0
Admin: up, num=4, duration=6997551
Current_HWaddr: 00:09:0f:fa:29:49
Permanent_HWaddr: 00:09:0f:fa:29:49
Link: up, 5
Speed: 100Mbps
Duplex: Full
Rx Pkts: 38461
Tx Pkts: 33669
Rx Bytes: 2326528
Tx Bytes: 1469440
MAC2 Rx Errors: 0
MAC2 Rx Dropped: 0
MAC2 Tx Dropped: 0
MAC2 FIFO Overflow: 0
MAC2 IP Error: 0
TAE Entry Used: 0
TSE Entry Used: 3
Host Dropped: 0
Shaper Dropped: 0
EEI0 Dropped: 0
EEI1 Dropped: 0
EEI2 Dropped: 0
EEI3 Dropped: 0
IPSEC QFIFO Dropped: 0
IPSEC DFIFO Dropped: 0
PBA: 123/1019/251
Forwarding Entry Used: 0
Offload IPSEC Antireplay ENC Status: Disable
Offload IPSEC Antireplay DEC Status: Enable
Offload Host IPSEC Traffic: Disable
ses mask: 40047dcb