We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


VPN ACL Traffic

swcrook asked
Medium Priority
Last Modified: 2012-05-06
Hello experts. I have a FortiGate 110C and a Cisco 1721 which have a successful IPSEC site-to-site tunnel connected. The FortiGate is the "server/host' and the 1721 is the branch office.

Communication from the Internal port on the the 1721 to the Internal port on the Fortigate passes successfully. I can RDP, ping, browse shares, etc. from the 1721 to the Fortigate. However, if I try to ping www.google.com from an internal client on the 1721 I can see that the ping resolves www.google.com to an IP, but there is no reply.

Also, I cannot RDP, ping, browse or otherwise connect to the 1721 from the Fortigate's Internal network. For those who are visual learners, this is what is happening: -----> works great -----> not so great

Is this an ACL problem on the 1721 or is this a firewall policy (Fortigates version of ACL) on the Fortigate?

I have a 1841 connected to the Fortigate with identical configs and it works great with no problems which tells me that there could be something on the 1721's end. It could be the Foritgate too I guess, but that setup is identical for both device as I have them grouped with the same settings, etc.
Watch Question

At first blush, it looks like a subnetting issue.

" -----> works great -----> not so great" overlaps with  Devices on the 10.10.x.x subnet will think the 10.10.10.x devices are directly connected, and will not try to route over the VPN.

The reason connections work from the branch is that the Fortigate uses its own MAC address when communicating with the servers at the main site.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Try adding an explicit route on one of the devices at the main site, and see if it can connect.  (Windows assigns a metric of 20 for directly connected subnets; adding an explicit route should override the entry in the routing table.)

At a command line:  route add mask fortigate-ip-address


The explicit route didn't help, but I can't exclude it all together. On the 1841 with similar settings, the subnet is /24 and it can browse the internet through the VPN, but that network can not be connected to either. My first statement was inaccurate, so it appears it could be a subnet issue.

Can you tell me why MPLS/BGP lets me connect from the main to all branch sites which have a /24 subnet?

Any other ideas or is it possible that the explicit would work but there is a blockage somewhere of teh traffic? Thanks

I'm not familiar enough with the Fortigate product.  With a Cisco, I'd suspect that the traffic was somehow being caught by the NAT rules.


Does a VPN tunnel inherently allow traffic both ways? From what I can tell it DOES NOT, but is does allow outgoing traffic?


I am going to change the subnetting to see if that resolves the issue. I will let you know, thanks.

A VPN tunnel does usually allow traffic in both directions.  But that doesn't mean an access-list, packet filter, or stateful firewall can't block it somewhere.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.