Hot!Fortigate VDOMs instead two CISCO routers

Author
kzuk
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/08 15:27:26
  • Status: offline
2019/08/28 08:51:26 (permalink)
0

Fortigate VDOMs instead two CISCO routers

Hi,
 
I have used two CISCO routers so far.
The first router provided access to the internet and for the first segment of the network. Behind this router was a second one (behind NAT), which was a network separator. I would like to implement this configuration on one Fortigate 100E. I have already created two VDOMs but I am not sure if I should use VDOM Links or something else.
 

Attached Image(s)

#1

16 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6046
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/28 09:49:42 (permalink)
    0
    If you want to go that way VDOM links would be natural to use. The only other setup would be to assign some physical ports to each VDOM and connect them via external cable. Which, in comparison, is not only less elegant but VDOM links might offer more bandwidth on top.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Toshi Esumi
    Expert Member
    • Total Posts : 1643
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/28 10:25:57 (permalink)
    0
    FYI: you can find the configuration in online help.
    https://help.fortinet.com...t=inter-vdom%20routing
    #3
    oliviahuffman
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/28 10:32:04
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/28 10:34:22 (permalink)
    0
    nice thank you for sharing!!
    #4
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 00:48:35 (permalink)
    0
    Ok, i have problem. I have configured FortiSwitch with FortiGate. VDOMs configured with VLAN interfaces (FortiSwitch).
     
    I set static routes on both VDOMs and can't send any packets between VDOMs.
     
    Policies configured on both VDOMs and while i try to ping other side i see activity but only on current VDOM.
     
    Communication within VDOM is OK. I have problem with route between VDOMs.
    post edited by kzuk - 2019/08/29 00:54:28
    #5
    smari
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/10 01:11:11
    • Location: Iceland
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 01:51:01 (permalink)
    0
    what does your debug flow say ?

    NSE7, FMG, FAC, FAZ .
    1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
     
    #6
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:05:11 (permalink)
    0
    Ping from VDOM to another. 
     
    VDOM_Public: one host with IP 172.3.255.10
    VDOM_Secure: one host with IP 172.4.255.10
     
    Pinging from 172.4.255.10 to 172.3.255.10. 
     
    Policies set to ALL services.
     
    diagnose debug enable 
    diagnose debug flow filter proto 1
    diagnose debug flow show function-name enable
    diagnose debug flow trace start 20
     
    id=20085 trace_id=4541 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.4.255.10:1->172.3.255.10:2048) from VLAN_Secure. type=8, code=0, id=1, seq=7894."
    id=20085 trace_id=4541 func=init_ip_session_common line=5657 msg="allocate a new session-0000cd58"
    id=20085 trace_id=4541 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-172.3.255.10 via npu0_vlink1"
    id=20085 trace_id=4541 func=fw_forward_handler line=751 msg="Allowed by Policy-2: SNAT"
    id=20085 trace_id=4541 func=__ip_session_run_tuple line=3328 msg="SNAT 172.4.255.10->172.4.255.1:60417"
    id=20085 trace_id=4542 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.4.255.10:1->172.3.255.10:2048) from VLAN_Secure. type=8, code=0, id=1, seq=7895."
    id=20085 trace_id=4542 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000cd58, original direction"
    id=20085 trace_id=4542 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN_Secure to npu0_vlink1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000000"
    id=20085 trace_id=4542 func=__ip_session_run_tuple line=3328 msg="SNAT 172.4.255.10->172.4.255.1:60417"
    id=20085 trace_id=4543 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.4.255.10:1->172.3.255.10:2048) from VLAN_Secure. type=8, code=0, id=1, seq=7896."
    id=20085 trace_id=4543 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000cd58, original direction"
    id=20085 trace_id=4543 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN_Secure to npu0_vlink1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000000"
    id=20085 trace_id=4543 func=__ip_session_run_tuple line=3328 msg="SNAT 172.4.255.10->172.4.255.1:60417"
    id=20085 trace_id=4544 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.4.255.10:1->172.3.255.10:2048) from VLAN_Secure. type=8, code=0, id=1, seq=7897."
    id=20085 trace_id=4544 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000cd58, original direction"
    id=20085 trace_id=4544 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN_Secure to npu0_vlink1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000000"
    id=20085 trace_id=4544 func=__ip_session_run_tuple line=3328 msg="SNAT 172.4.255.10->172.4.255.1:60417"
    post edited by kzuk - 2019/08/29 04:07:14
    #7
    smari
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/10 01:11:11
    • Location: Iceland
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:13:23 (permalink)
    0
    hmm, can you post the config of the routes and vlink.

    NSE7, FMG, FAC, FAZ .
    1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
     
    #8
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:19:37 (permalink)
    0
    Sure, i can post whole config.
     
     
     
    #9
    smari
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/10 01:11:11
    • Location: Iceland
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:23:46 (permalink)
    0
    try removing the gw address on the vlink static route ( set it as 0.0.0.0 ) and check the flow again.

    NSE7, FMG, FAC, FAZ .
    1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
     
    #10
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:33:54 (permalink)
    0
    I already try that. Nothing change.
    #11
    smari
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/10 01:11:11
    • Location: Iceland
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:46:17 (permalink)
    0
    Allright, try putting some ip's on the vlink interfaces and ping between them and from the secure host to the ip on the vlink public end.

    NSE7, FMG, FAC, FAZ .
    1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
     
    #12
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 04:58:12 (permalink)
    0
    I already try that... but... can't :(
     
    VLAN_Public is configured for use with FortiSwitch. VDOMs configured with these VLANs interfaces.
     

    post edited by kzuk - 2019/08/29 05:00:30

    Attached Image(s)

    #13
    smari
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/10 01:11:11
    • Location: Iceland
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 05:26:34 (permalink)
    0
    Ahh, you can put any address on there, just put a /30 with ip's on each vlink interface within range.
     

    NSE7, FMG, FAC, FAZ .
    1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
     
    #14
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 05:44:26 (permalink)
    0
    Ok, debug flow below.
     
    Current vlink config:

     
    (VDOM_Secure) # execute ping 172.3.255.10
     
    id=20085 trace_id=4561 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=0."
    id=20085 trace_id=4561 func=init_ip_session_common line=5657 msg="allocate a new session-0000e6d6"
    id=20085 trace_id=4562 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=1."
    id=20085 trace_id=4562 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction"
    id=20085 trace_id=4563 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=2."
    id=20085 trace_id=4563 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction"
    id=20085 trace_id=4564 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=3."
    id=20085 trace_id=4564 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction"
    id=20085 trace_id=4565 func=print_pkt_detail line=5497 msg="vd-VDOM_Secure:0 received a packet(proto=1, 172.20.255.2:4608->172.3.255.10:2048) from local. type=8, code=0, id=4608, seq=4."
    id=20085 trace_id=4565 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0000e6d6, original direction"
     
    PING 172.3.255.10 (172.3.255.10): 56 data bytes

    --- 172.3.255.10 ping statistics ---
    5 packets transmitted, 0 packets received, 100% packet loss

    Attached Image(s)

    #15
    ede_pfau
    Expert Member
    • Total Posts : 6046
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 10:59:42 (permalink)
    0
    Please add "diag deb flow console ip ena" to enable policy check debugs.
    And, your pinging 172.20. to 172.3., whereas the other link's end is 172.10. - ??

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #16
    kzuk
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/08 15:27:26
    • Status: offline
    Re: Fortigate VDOMs instead two CISCO routers 2019/08/29 12:29:24 (permalink)
    0
    There is progress :)
     
    But i can ping only in one way.
     
    VDOM_Public
    - has internet access - this is ok
    - has access in VLAN_Public - this is ok
    - not have access to VLAN_Secure - not ok :(
     
    VDOM_Secure
    - not have internet access - this is ok
    - has access both VDOMs - this is ok
     
    Config uploaded.
     
    Policies the same on both VDOMs, static routes too. And communication is only one way.
     
    Any sugestions?
    #17
    Jump to:
    © 2019 APG vNext Commercial Version 5.5