Nat – Unable to access Server over VPN behind 2 Fortigate Firewalls; however ping is working

firewallfortigatenat;

Client -> VPN -> FG1 -> FG2 -> Server

Created a VPN tunnel with remote IP 10.20.30.4/32 and local ip 10.20.30.40/32
on FG1, NAT/VIP is established with VIP as 10.20.30.40 and server IP as 192.168.2.6

Now, client is able to ping VIP but not able to establish tcp on Port 35390
debug flow logs are:

*id=13 trace_id=1011 func=print_pkt_detail line=4307 msg="vd-root received a packet(proto=6, 10.20.30.4:46663->192.168.2.6:35390) from INTERNET-INTERFACE. flag [S], seq 186011604, ack 0, win 8192" id=13 trace_id=1011 func=init_ip_session_common line=4463 msg="allocate a new session-36c86cf8" id=13 trace_id=1011 func=vf_ip4_route_input line=1605 msg="find a route: flags=00000000 gw-192.168.2.6 via SERVER-INTERFACE" id=13 trace_id=1011 func=__iprope_tree_check line=534 msg="use addr/intf hash, len=3" id=13 trace_id=1011 func=fw_forward_handler line=537 msg="**Denied by forward policy check (policy 0)**"*

However policy is there in FG2; and through this policy only ping is working (checked the same in logs)

Unable to understand where the issue is. Please guide.

Best Answer

Don't use (source) NAT with VPN unless there is no other way.
Virtual IP is destination NAT - avoid as well
set according routes on the far side on each FGT, make sure the nodes use the FGT as gateway (or another gateway knowing the routes) - dynamic routing with OSPF or RIP is recommended
add policies on each side allowing the communication you require

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Further reading: ISR static routing

I cannot get an ip address right now from the DHCP server (Windows). Any insight into why?

Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.

From what I can gather from your topology and configuration, the subnets 172.19.3.0/24, 172.19.12.0/28 and 172.20.100.0/27 should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.

You can remove the ip helper-address syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.

interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27

Fortigate – Fixing HTTP/HTTPS Traffic Connections Timeout

I was never able to solve this issue. It seemed to be something within the FGT kernel and without an active Fortinet subscription, my working "solution" was to upgrade to an FGT-110C running 5.2.x.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Fortigate – Fixing HTTP/HTTPS Traffic Connections Timeout

Related Topic