?
Solved

Interconnecting Junos and FortiOS

Posted on 2014-01-28
7
Medium Priority
?
255 Views
Last Modified: 2014-03-05
I am trying to connect two routers.
A Fortigate 200B (FortiOS v5.0,build0147 (GA Patch 1)) and a Juniper SRX240H (JUNOS Software Release [11.4R5.5]).

Here is a quick diagram of the topology:

PC1[172.16.3.3/24]<->[172.16.3.1/24]SRX240[172.16.254.1/30]<->[172.16.254.2/30]FGT200B[192.168.1.150/24]<->[192.168.1.8]SERVER1

I can ping PC1 from SERVER1.
I can ping 172.16.254.1 from FortiGate 200B.
I cannot ping SERVER1 from PC1.
I cannot ping 172.16.254.2 from SRX240H.

FGT200B created a directly connected route for 172.16.254.0/30 and is pushing it through
port10[172.16.254.2/30].
I cannot see the same thing on SRX240H. I tried creating a route to 172.16.254.0/30 on SRX240H with the outgoing interface port10[172.16.254.1/30], but I get the error message that the interface is not a point-to-point connection.

How can I get the two routers to communicate properly?
0
Comment
Question by:proteus-IV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 12

Expert Comment

by:Infamus
ID: 39814814
Which port on Fortigate is connected to SRX240H?

Let's say you are connected as below:

SRX240[172.16.254.1/30]<->Port1-[172.16.254.2/30]FGT200B Portw [192.168.1.150/24]<->[192.168.1.8]SERVER1

The routes should be:

172.16.3.0/24 port1 172.16.254.1

On the router SRX24OH, you need to add.

ip route 192.168.1.0 255.255.255.0 172.16.254.2
0
 

Author Comment

by:proteus-IV
ID: 39815854
Port10[172.16.254.2/30] on Fortigate is connected to port10[172.16.254.1/30] on Juniper.

I tried adding the route 192.168.1.0 255.255.255.0 172.16.254.2 on SRX240H, but I cannot access the 192.168.1.0/24 subnet from the SRX240H, nor the 172.16.254.0/30 subnet.

Here is the relevant output from the FGT200B routing table:
S       172.16.3.0/24 [10/0] via 172.16.254.1, port10
C       172.16.254.0/30 is directly connected, port10
C       192.168.1.0/24 is directly connected, switch

Open in new window

And also from SRX240H:

192.168.1.0/24    *[Static/5] 1d 01:52:57
                              > to 172.16.254.2 via ge-0/0/10.0
172.16.3.0/24      *[Direct/0] 1d 01:47:18
                              > via ge-0/0/1.0
172.16.254.0/30  *[Direct/0] 1d 01:47:18
                              > via ge-0/0/10.0
172.16.254.1/32  *[Local/0] 1d 01:47:31
                              > Local via ge-0/0/10.0

Open in new window

0
 
LVL 12

Expert Comment

by:Infamus
ID: 39819225
What is the gateway for PC1 and Server1?

You are not able to ping 172.16.254.2 from SRX240H?

Is the ICMP allowed on Fortinet interface 10?

Can you also post traceroute from PC1 to Server1?
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 

Author Comment

by:proteus-IV
ID: 39836749
PC1 gateway: 172.16.3.1
Server1 gateway: 192.168.1.150

Yes, I am unable to ping 172.16.254.2 from SRX240H.

All protocols are allowed on Fortigate interface 10.

Here is the traceroute output from PC1 to Server1:

Tracing route to 192.168.1.8 over a maximum of 30 hops

1  <1ms  <1ms  <1ms  172.16.3.1
2  *  *  *  Request timed out.
3  *  *  *  Request timed out.
4  *  *  *  Request timed out.
5  *  *  *  Request timed out.
6  *  *  *  Request timed out.
7  *  *  *  Request timed out.
8  *  *  *  Request timed out.
9  *  *  *  Request timed out.
10  *  *  *  Request timed out.
11  *  *  *  Request timed out.
12  *  *  *  Request timed out.
13  *  *  *  Request timed out.
14  *  *  *  Request timed out.
15  *  *  *  Request timed out.
16  *  *  *  Request timed out.
17  *  *  *  Request timed out.
18  *  *  *  Request timed out.
19  *  *  *  Request timed out.
20  *  *  *  Request timed out.
21  *  *  *  Request timed out.
22  *  *  *  Request timed out.
23  *  *  *  Request timed out.
24  *  *  *  Request timed out.
25  *  *  *  Request timed out.
26  *  *  *  Request timed out.
27  *  *  *  Request timed out.
28  *  *  *  Request timed out.
29  *  *  *  Request timed out.
30  *  *  *  Request timed out.

Trace complete.

Open in new window

0
 
LVL 12

Expert Comment

by:Infamus
ID: 39836796
There is your issue.

SRX240[172.16.254.1/30]<->[172.16.254.2/30]FGT200B

The connection between SRX and FGT.

Is it a direct connection or what type of connection is this?
0
 

Author Comment

by:proteus-IV
ID: 39836854
It is a direct connection, ethernet port-to-port.

But, I am able to ping 172.16.254.1 from FGT200B.

I can also ping from Server1 to PC1.

Traceroute from Server1 to PC1 shows 192.168.1.150 as 1st hop and 172.16.254.1 as second hop and 172.16.3.3 as 3rd hop.
0
 
LVL 12

Accepted Solution

by:
Infamus earned 1500 total points
ID: 39836891
Since you are not able to ping from SRX to the Fortgate, I think that is the issue there.

You have the correct routing so I'm curious if Fortigate is blocking incoming traffic.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question