Fortigate Routing

iamdieter
iamdieter used Ask the Experts™
on
Good day

We have a number of branches and in one country specifically we have X3 branches. out of the 3, one brach acts as the head office for that specific country (branch A). The other X2 branches have site to site IPSec tunnels to Branch A. In return Branch A has an IPSec tunnel to our Head Office. So from the other two office we only allow traffic to and from Branch A and not the Head office for a number of reasons. On both IPSec tunnels we have the internal DNS IP's specified.

We do have an internal portal which should be accessible from both the other two branches, which is hosted at the Head Office and accessible via URL. When you ping the URL it uses internal DNS and resolves to the internal IP.

How do we force the traffic for the portal to go via the internet and not the IPSec tunnel? At the moment we have an entry in the host files of the PC's which is a work around and not ideal.Any idea how we can have the traffic routed differently for the specific URL they need to access?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr.Net.Eng
Top Expert 2011
Commented:
Have you considered using a destination nat at the branch sites. When they access the internal ip it is natted to the external ip destination. Nat order of operations should then just route it accordingly out the internet instead of the VPN.

You may also want to look into NAT hairpinning also as an option:

https://cookbook.fortinet.com/configure-hair-pinning-fortigate/

Author

Commented:
Thank you very much. I will give it a try and revert.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial