We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

VPN ACL Traffic

swcrook
swcrook asked
on
Medium Priority
550 Views
Last Modified: 2012-05-06
Hello experts. I have a FortiGate 110C and a Cisco 1721 which have a successful IPSEC site-to-site tunnel connected. The FortiGate is the "server/host' and the 1721 is the branch office.

Communication from the Internal port on the the 1721 to the Internal port on the Fortigate passes successfully. I can RDP, ping, browse shares, etc. from the 1721 to the Fortigate. However, if I try to ping www.google.com from an internal client on the 1721 I can see that the ping resolves www.google.com to an IP, but there is no reply.

Also, I cannot RDP, ping, browse or otherwise connect to the 1721 from the Fortigate's Internal network. For those who are visual learners, this is what is happening:

10.10.10.0 0.0.0.255 -----> 10.10.0.0 0.0.255.255 works great
10.10.0.0 0.0.255.255 -----> 10.10.10.0 0.0.0.255 not so great

Is this an ACL problem on the 1721 or is this a firewall policy (Fortigates version of ACL) on the Fortigate?

I have a 1841 connected to the Fortigate with identical configs and it works great with no problems which tells me that there could be something on the 1721's end. It could be the Foritgate too I guess, but that setup is identical for both device as I have them grouped with the same settings, etc.
Comment
Watch Question

CERTIFIED EXPERT
Commented:
At first blush, it looks like a subnetting issue.

"10.10.10.0 0.0.0.255 -----> 10.10.0.0 0.0.255.255 works great
10.10.0.0 0.0.255.255 -----> 10.10.10.0 0.0.0.255 not so great"

10.10.0.0/16 overlaps with 10.10.10.0/24.  Devices on the 10.10.x.x subnet will think the 10.10.10.x devices are directly connected, and will not try to route over the VPN.

The reason connections work from the branch is that the Fortigate uses its own MAC address when communicating with the servers at the main site.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT

Commented:
Try adding an explicit route on one of the devices at the main site, and see if it can connect.  (Windows assigns a metric of 20 for directly connected subnets; adding an explicit route should override the entry in the routing table.)

At a command line:  route add 10.10.10.0 mask 255.255.255.0 fortigate-ip-address

Author

Commented:
The explicit route didn't help, but I can't exclude it all together. On the 1841 with similar settings, the subnet is /24 and it can browse the internet through the VPN, but that network can not be connected to either. My first statement was inaccurate, so it appears it could be a subnet issue.

Can you tell me why MPLS/BGP lets me connect from the main to all branch sites which have a /24 subnet?

Any other ideas or is it possible that the explicit would work but there is a blockage somewhere of teh traffic? Thanks
CERTIFIED EXPERT

Commented:
I'm not familiar enough with the Fortigate product.  With a Cisco, I'd suspect that the traffic was somehow being caught by the NAT rules.

Author

Commented:
Does a VPN tunnel inherently allow traffic both ways? From what I can tell it DOES NOT, but is does allow outgoing traffic?

Author

Commented:
I am going to change the subnetting to see if that resolves the issue. I will let you know, thanks.
CERTIFIED EXPERT

Commented:
A VPN tunnel does usually allow traffic in both directions.  But that doesn't mean an access-list, packet filter, or stateful firewall can't block it somewhere.
 
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.