Helpful ReplyHot!how to route traffic initiated from location to location C via location B on Fortigate?

Author
ssn179
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/19 04:33:28
  • Status: offline
2019/11/19 04:50:50 (permalink)
0

how to route traffic initiated from location to location C via location B on Fortigate?

Hi, We have requirement to setup the connectivity on Fortigate as below:
1) We have our office in Country A and Country B.
2) We need to access a third party application hosted in Country C for which connectivity has been allowed by the third party application owner by whitelisting of Country B Fortigate WAN IP.
3) Our application hosted on servers hosted behind firewall in Country A has to access the application hosted in Country C via/through Country B firewall.
Flow will be like: Request will be initiated by Country A servers towards the Country B firewall and then Country B firewall has to route the request to the Country C third party application using Country B firewall wan IP (because wan ip is whitelisted by application owner).
Kindly please advise how to achieve this and what configuration is required on our Country A, Country B Fortigate firewall.
As of now there is no connectivity established between Country A and Country B firewall.

Attached Image(s)

#1
Toshi Esumi
Expert Member
  • Total Posts : 1802
  • Scores: 151
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/19 08:43:16 (permalink)
0
Set up a site-to-site vpn for the application's final destination(s), then route it through the tunnel without NAT. Once the traffic reached the Country B location, it will be NATed to go out to the internet toward the provider.
#2
ssn179
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/19 04:33:28
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/19 23:53:48 (permalink)
0
@toshiesumi,
Can you please advise the IPsec Configuration on both the firewalls under phase-2 hosts? And also the IPv4 policies & routes to be added if any.
Appreciate your kind help please.
#3
ssn179
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/19 04:33:28
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/19 23:55:55 (permalink)
0
toshiesumi
Can you please advise on the Phase-2 host parameters on both the country A & B firewalls? Also, please advise if there any routes to be added and what IPv4 policy i should added?
Appreciate your help please.
#4
Toshi Esumi
Expert Member
  • Total Posts : 1802
  • Scores: 151
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/20 09:05:17 (permalink)
0
Say the third party destination is D.D.D.D/32. If you're using CLI, I would just leave phase2 selector as 0/0<->0/0 but set a static route D.D.D.D/32 to the tunnel interface without GW. Adjust the policy at least from internal at A to the tunnel to limit the destination to D.D.D.D/32. If the third party side need to initiate sessions you need to have another policy for the opposite direction. Of course B side needs to have the same set of policies accordingly.
Then, finally make sure the internet NAT policy at B needs to allow traffic from A. 
#5
ssn179
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/19 04:33:28
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/21 04:01:28 (permalink)
0
toshiesumi
Please make me correct in below configuration which i prepared to consider limited traffic allowed from the country A firewall.
Country A firewall
------------------
1) Create Address: Third party (D.D.D.D/32) on VPN interface.
2) IPsec Phase-2:
Local host: let's say 10.10.10.0/24
Remote host: Country B f/w LAN(172.20.200.0/24) + Third party address created above in step 1.
3) Update IPsec VPN policy towards Country B firewall with third party address in the destination.
 
Country B firewall
------------------
1) Create Address: Third party (D.D.D.D/32) on wan interface.
2) IPsec Phase-2:
Local host: let's say 172.20.200.0/24 + Third party address created above in step 1.
Remote host: Country A LAN subnet: 10.10.10.0/24
3) Update IPsec VPN IPv4 policy with below:
source: Country A LAN, incoming interface: VPN interface
Destination: Third party address, Destination interface: wan
service any
NAT enabled-yes
 
Default static route exist for all:
Destination: 0.0.0.0/0, G/W- ISP g/w and interface-WAN.
 
4) Do i need to configure static route for the IPsec VPN as well like:
Destination: Third party address D.D.D.D/32, interface- either ipsec_tunnel or wan?
 
Kindly please check and confirm.
 
 
 
#6
Toshi Esumi
Expert Member
  • Total Posts : 1802
  • Scores: 151
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/21 09:51:39 (permalink) ☄ Helpfulby ssn179 2019/11/26 02:51:50
0
Looks correct once you put the static route for D.D.D.D/32 and 172.20.200.0/24 toward the tunnel at FGT-A. Then for 10.10.10.0/24 toward the tunnel at FGT-B. 
#7
ssn179
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/19 04:33:28
  • Status: offline
Re: how to route traffic initiated from location to location C via location B on Fortigate 2019/11/26 02:51:55 (permalink)
0
toshiesumi
Thanks buddy, we are testing it internally. Thanks once again for your help and prompt advise.
#8
Jump to:
© 2019 APG vNext Commercial Version 5.5