Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NetFire
New Contributor

Routing Traffic between Two Site to Site VPN Tunnels

Hello,

 

this is my first post. I thank the administrators for accepting my request.

 

I come straight to the point.

 

My goal: reach and install a printer (192.168.0.246/32) which is "two FGT ahead" (from 192.168.177.0/24)

 

My scenario:

[ul]
  • FGT60C (192.168.177.0/24) - Admin Access
  • FGT100A (10.1.0.0/24) - Admin Access
  • FGT60D (192.168.0.0/24) - NO Admin Access[/ul]

    ALL VPN WORKS.

    I have admin access only on FGT60C (192.168.177.0/24) and FGT100A (10.1.0.0/24).  No admin for FGT60D (192.168.0.0/24).

    It's an atypical set-up, but I found configured and working VPN from FGT100A to FGT60D and I can't touch it.

    For the moment, I can reach the printer (obviously) only from 10.1.0.0/24. 

     

    In other words, I want to route IP 192.168.0.246/32 (somehow) from FGT60C to FGT60D using FGT100A as "brigde" between two VPN, so I can reach the printer (192.168.0.246/32) from 192.168.177.0/24.

    I've tried policy routes, policy firewall, nothing. I'm convinced that is escaping me something.

     

    My actual conf:

    FGT60C - FW Policy FROM/TO 192.168.177.0/24 192.168.0.246/32 - Interfaces: VPN/Internal and viceversa

    FGT100A - FW Policy FROM/TO 192.168.177.0/24 192.168.0.246/32 - Interfaces: VPN/Internal and viceversa

     

    If I execute traceroute 192.168.0.246 from FGT 60C CLI, it stops after VPN, ie, it reaches the 86.2.50.60, and then stops. 

     

    That's all. I hope to have been clear, my English is a bit evanescent

     

    Thank you very much for your availability.

     

     

     

  • 5 REPLIES 5
    EMES
    Contributor

    What if you NAT the traffic

     

    Use an IP Pool to hide the original source from 192.168.177.0 to something in the 10.1.0.0/24 network. This would happen on the Firewall with the 10.1.0.0 network. The policy would be

     

    Srcinterface : vpn from FGT60C 

    Dstinterface : vpn to FGT60D

    Source : 192.168.177.0/24

    Destination : 192.168.0.0/24

    service : any

    NAT : Enabled

    IP pool configuration : Use dynamic IP Pool

     

    Your IP Pool would be set to overload and the ip set to a 10.1.0.0/24 IP (Unused of course)

     

     

    NetFire
    New Contributor

    You are great!!!

    It worked at first shot

     

    Thank you so much

     

     

    NetFire

    Probably something went wrong.

    For a distraction, I entered 10.1.0.0/24 rather than 10.1.0.[UnusedIP].

    It 'possible that this has caused an IP conflict between the locally connected machines?

     

    Thanks for your reply

    EMES

    Yes that would break connections between the 10.1.0.x/24 subnet to FGT60D

    NetFire
    New Contributor

    Many thanks, at least I know that this problem is due to this setting

     

     

    Labels
    Top Kudoed Authors