[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Routing Traffic from INTERNAL to a VLAN on Fortigate 100A

Posted on 2013-05-28
8
Medium Priority
?
6,716 Views
Last Modified: 2014-03-07
Hello,

I'm having a problem with setting up a new test lab with a new VLAN.

We have a Fortigate 100A, an internal interface of 192.168.15.0/24.

The new VLAN ID is 50 and the subnet is 192.168.50.0/24 and i've set it up as a new vlan interface

Policy routes were setup to go from one to the other, and vice versa. Policy routes were setup as well to go from one to the other.

There is a Cisco switch in between which was setup with a VLAN50, and one port was setup as an access port for VLAN50.

I can ping TO the INTERNAL network from the new VLAN50, but I cannot print FROM the INTERNAL network to the new VLAN50, no matter what device, nor can I ping the 192.168.50.1 gateway from the internal network.

I've tried playing with the different settings, etc, but can't figure it out.
0
Comment
Question by:CORPORAT
  • 4
  • 3
8 Comments
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 1125 total points
ID: 39202790
and one port was setup as an access port for VLAN50.

Which port on which device? Also, wouldn't you need multiple ports in vlan 50 on the switch to make this work? Perhaps more details on what ports are configured on vlan 50 would help.

Another troubleshooting step you could do would be a connect a laptop directly to the port on the fortigate that is configured for vlan 50. Then you don't need to worry about a switch config. If things work great, then it's a matter of looking at the switch's config, if it still doesn't work there is an issue on the fortigate.
0
 

Author Comment

by:CORPORAT
ID: 39202976
Sorry!

A port on the Cisco switch was set as an access port for vlan 50, that is where i'm connecting the laptop into.

The cisco switch is uplinked to the fortigate 100A's internal switch port#2 via a trunk port on the cisco switch. Other VLAN traffic passes fine directly to the internet, but this is the first time i've needed to do interVLAN traffic (that's not VPN related).
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 1125 total points
ID: 39204628
Is vlan 50 allowed on the trunk? Use a "show int trunk" and you will be able to see which vlans are forwarding and NOT pruned. If you see it in the allowed list but not in the forwarding list, I would first guess that the vlan wasn't defined on the switch (even though it was added to the trunk). A simple "vlan 50" from config mode will get the vlan added to the switch.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:CORPORAT
ID: 39209285
Rausenpc,

- The fortigate is setup with an internal interface, that's 192.168.15.0/24. The VLAN is VLAN 50, 192.168.50.0/24.
- Firewall policy rules allowing all traffic from 192.168.15.0 to 192.168.50.0 and vice versa setup.

- Yes, VLAN 50 was added to the Cisco 3560 with the VLAN 50 command, I even had labeled it with a name
- Yes, VLAN50 is allowed on the trunk between the fortigate 100A and the cisco 3560 switch.

- We can ping from the a device on the 192.168.50.0 network TO the 192.168.15.0, but cannot ping in reverse.

- We ran pings and did two packet sniffers on the fortigate, and can see the fortigate getting the ping traffic from the 192.168.15.0 side hitting the fortigate @ 192.168.15.1, but it doesn't make it to the 192.168.50.0 side.

It looks like it's the fortigate that's the issue here, i'm just wondering what is wrong or if we're doing something wrong.

Fortigate 100A
- Added VLAN interface of 192.168.50.0/24
- Setup DHCP server for 192.168.50.100 - 150
- Setup firewall policy to allow traffic between existing "INTERNAL" network and the new 192.168.50.0 network, in both directions
- Tried policy routes, tried static routes, the router monitor shows the 192.168.50.0 network as directly connected, just can't understand why traffic isn't routing from 192.168.15.0 to 192.168.50.0 network.
0
 
LVL 20

Assisted Solution

by:rauenpc
rauenpc earned 1125 total points
ID: 39209298
Does the device on the 50 subnet have a software firewall that is blocking ping? By chance is there a possibly asymmetric routing situation going on (are both devices using the firewall as a gateway directly or is there a layer 3 device between)?

I'm just asking the dumb questions because nothing else comes to mind at the moment. I'm not sure what devices you're using, but is it possible to configure L3 interfaces on the switch to allow them to communicate directly temporarily? I realize there will be no firewall in place, but this will at least verify that there is or is not any problem pinging between the two while on the subnets in question. Once you know for sure that they can ping, then move things back through the firewall and we can assume any issues are going to be on the fortigate.
0
 

Author Comment

by:CORPORAT
ID: 39209537
I had thought that might be the case, but no, I completely disabled the software firewalls, and even tried a second machine.

Also, another strange behavior, I can ping 192.168.50.1 from the 192.168.15.0 network, but not any other IP on the 192.168.50.0 network!

Windows clients don't get the 192.168.50.0 network route advertised automatically either.

We tested with another VLAN, and if we set it all up exclusively on the switch. Once the fortigate gets introduced as the router, it becomes a problem.

The 3560 is not doing any routing whatsoever, it's just being used as a switch.
0
 
LVL 5

Accepted Solution

by:
megaman5 earned 375 total points
ID: 39359826
I just had a problem where a vlan interface on the internal wouldnt work on my fortigate, I had to remove it, and build the vlan interface as another interface facing an access interface on my switch so the fortigate didnt need to do vlanning.

Also, try this:

config system settings
set asymroute enable
end
0
 

Author Closing Comment

by:CORPORAT
ID: 39912734
Thanks guys, I got it working with Fortigate support but the correct solution is to create a new VLAN and migrate everything from INTERNAL to it, then this would have been easy.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question