Fortigate 100D and Comcast SMC Gateway causing weird DNS issue.

CruJones
CruJones used Ask the Experts™
on
I have several clients using FortiGate firewalls but they are all using traditional ISP models (fiber and T1's).  This is the first time one of my clients using a FortiGate 100D firewall is using Comcast BusinessClass internet with an SMC Gateway device and I'm having a weird DNS issue.  Client has a static IP assigned from Comcast and according to 3 different phone calls to Comcast tech support the SMC gateway is configured in a "passive" mode (since they don't support a true bridge mode) so the static IP info can be assigned to our fully updated FortiGate 100D and we can use the public IP to access the SSL VPN portal, etc.  I assigned the static public IP info from Comcast to my laptop, plug into the Comcast gateway and I can get out on the internet without any problems.  When I assign the static public IP info to the WAN interface on the 100D, the internet connection on my primary and secondary domain controllers that are also our DNS servers drops and thus none of our clients that use those DNS servers can get out on the internet.  If I manually assign the client a DNS such as 8.8.8.8 it can get out on the internet but that doesn't work for us, they need to be able to use the internal DNS servers.  The strange thing is if I configure the WAN interface on the 100D to use DHCP and allow the Comcast gateway to assign it one of it's internal IP's (10.1.10.2 for example) everything works fine on the network except nobody can use the SSL VPN portal because the 100D doesn't actually have the public IP configured on the WAN interface.  

I've called FortiNet tech support and Comcast tech support numerous times but they just point the finger at each other and nothing has been resolved.  The 100D is brand new with updated firmware and no custom routes/rules/policies other than a general outbound internet rule.

Any suggestions or help would be MUCH appreciated.  Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
LeoSnr Network Eng

Commented:
have you made sure ports are listening and open for vpn connections, and nothing is blocking it, means no rules or ACL, and they are in the right VLAN group....
Commented:
Thanks for the reply Striker, I was able to resolve the issue this morning during a troubleshooting session.  When I first connected to the FortiGate during the initial install it runs you through this little connection wizard asking you to configure your WAN, LAN, VPN info, etc.  What happened was during that wizard it created two static routes, one for the general outbound traffic and one for SSL VPN traffic.  The admin distance on both was set to 10, so for some reason that was throwing off DNS requests.  I changed the admin distance on the SSL VPN router to 20 and that immediately resolved the DNS issue.
LeoSnr Network Eng

Commented:
Good to know its working properly :-)

Author

Commented:
Was able to figure out issue with FortiNet tech support and posted results here.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial