Interconnecting Junos and FortiOS

I am trying to connect two routers.
A Fortigate 200B (FortiOS v5.0,build0147 (GA Patch 1)) and a Juniper SRX240H (JUNOS Software Release [11.4R5.5]).

Here is a quick diagram of the topology:

PC1[172.16.3.3/24]<->[172.16.3.1/24]SRX240[172.16.254.1/30]<->[172.16.254.2/30]FGT200B[192.168.1.150/24]<->[192.168.1.8]SERVER1

I can ping PC1 from SERVER1.
I can ping 172.16.254.1 from FortiGate 200B.
I cannot ping SERVER1 from PC1.
I cannot ping 172.16.254.2 from SRX240H.

FGT200B created a directly connected route for 172.16.254.0/30 and is pushing it through
port10[172.16.254.2/30].
I cannot see the same thing on SRX240H. I tried creating a route to 172.16.254.0/30 on SRX240H with the outgoing interface port10[172.16.254.1/30], but I get the error message that the interface is not a point-to-point connection.

How can I get the two routers to communicate properly?
proteus-IVAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InfamusCommented:
Which port on Fortigate is connected to SRX240H?

Let's say you are connected as below:

SRX240[172.16.254.1/30]<->Port1-[172.16.254.2/30]FGT200B Portw [192.168.1.150/24]<->[192.168.1.8]SERVER1

The routes should be:

172.16.3.0/24 port1 172.16.254.1

On the router SRX24OH, you need to add.

ip route 192.168.1.0 255.255.255.0 172.16.254.2
0
proteus-IVAuthor Commented:
Port10[172.16.254.2/30] on Fortigate is connected to port10[172.16.254.1/30] on Juniper.

I tried adding the route 192.168.1.0 255.255.255.0 172.16.254.2 on SRX240H, but I cannot access the 192.168.1.0/24 subnet from the SRX240H, nor the 172.16.254.0/30 subnet.

Here is the relevant output from the FGT200B routing table:
S       172.16.3.0/24 [10/0] via 172.16.254.1, port10
C       172.16.254.0/30 is directly connected, port10
C       192.168.1.0/24 is directly connected, switch

Open in new window

And also from SRX240H:

192.168.1.0/24    *[Static/5] 1d 01:52:57
                              > to 172.16.254.2 via ge-0/0/10.0
172.16.3.0/24      *[Direct/0] 1d 01:47:18
                              > via ge-0/0/1.0
172.16.254.0/30  *[Direct/0] 1d 01:47:18
                              > via ge-0/0/10.0
172.16.254.1/32  *[Local/0] 1d 01:47:31
                              > Local via ge-0/0/10.0

Open in new window

0
InfamusCommented:
What is the gateway for PC1 and Server1?

You are not able to ping 172.16.254.2 from SRX240H?

Is the ICMP allowed on Fortinet interface 10?

Can you also post traceroute from PC1 to Server1?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

proteus-IVAuthor Commented:
PC1 gateway: 172.16.3.1
Server1 gateway: 192.168.1.150

Yes, I am unable to ping 172.16.254.2 from SRX240H.

All protocols are allowed on Fortigate interface 10.

Here is the traceroute output from PC1 to Server1:

Tracing route to 192.168.1.8 over a maximum of 30 hops

1  <1ms  <1ms  <1ms  172.16.3.1
2  *  *  *  Request timed out.
3  *  *  *  Request timed out.
4  *  *  *  Request timed out.
5  *  *  *  Request timed out.
6  *  *  *  Request timed out.
7  *  *  *  Request timed out.
8  *  *  *  Request timed out.
9  *  *  *  Request timed out.
10  *  *  *  Request timed out.
11  *  *  *  Request timed out.
12  *  *  *  Request timed out.
13  *  *  *  Request timed out.
14  *  *  *  Request timed out.
15  *  *  *  Request timed out.
16  *  *  *  Request timed out.
17  *  *  *  Request timed out.
18  *  *  *  Request timed out.
19  *  *  *  Request timed out.
20  *  *  *  Request timed out.
21  *  *  *  Request timed out.
22  *  *  *  Request timed out.
23  *  *  *  Request timed out.
24  *  *  *  Request timed out.
25  *  *  *  Request timed out.
26  *  *  *  Request timed out.
27  *  *  *  Request timed out.
28  *  *  *  Request timed out.
29  *  *  *  Request timed out.
30  *  *  *  Request timed out.

Trace complete.

Open in new window

0
InfamusCommented:
There is your issue.

SRX240[172.16.254.1/30]<->[172.16.254.2/30]FGT200B

The connection between SRX and FGT.

Is it a direct connection or what type of connection is this?
0
proteus-IVAuthor Commented:
It is a direct connection, ethernet port-to-port.

But, I am able to ping 172.16.254.1 from FGT200B.

I can also ping from Server1 to PC1.

Traceroute from Server1 to PC1 shows 192.168.1.150 as 1st hop and 172.16.254.1 as second hop and 172.16.3.3 as 3rd hop.
0
InfamusCommented:
Since you are not able to ping from SRX to the Fortgate, I think that is the issue there.

You have the correct routing so I'm curious if Fortigate is blocking incoming traffic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.