Fortigate 50E NAT devices can reach the web, 50E itself cannot, help !!!
We currently have a new set up, which has a 50e used as the DMZ FW which connects directly to the WWW router on a none routed /30 subnet (transit) and 100E connects directly to the 50e via a transit link. devices behind the 100e and 50e can get to the web via a NAT overload and there is specific 1 to 1 NATs as well.
100E doesn't do NAT, all NAT is on the 50E. 100E can ping the web 22.214.171.124 and reach Fortinet via the dashboard for updates etc using a route that points to the 50e, 50e then just pushes everything from that subnet to a public address via NAT overload. My issue is the 50e cannot ping 126.96.36.199 and does not receive updates from Fortinet on the dashboard.
Any advice, I added a loopback with its own public address this didn't work. I added the Loopback to the NAT overload group that the 100e uses that didn't work either. I even created a 1 to 1 nat from the /30 IP that connects to the router (none advertised) to a new public address this wouldn't allow the 50e to ping out either via the specific source.
I have asked networks to check what is allowed in, I did a packet sniffer and it showed packets going out but not returning for the 50e, they do for the 100e, the router does have a acl inbound which denies any IP to the 50e /30 specific IP but the 100e is able to get out using the NAT.
Any ideas appreciated.