02-13-2020 10:22 AM
Hello,
We opened new branch ( A ) and successfully established site to site vpn tunnel with head office ( HO ).
Head office ( IMI - HO ) already has site to site vpn connection with another datacenter which host application IFS.
Problem is, In new branch ( B ) we cannot reach IFS application environment, knowing that we can reach head office network through S2S tunnel using ISP public IP.
All traffic must be routed through HO. I think we are missing some settings in HO FTD.
Any help.
Hopefully attached snapshot can help understand scenario.
Thanks
02-13-2020 10:25 AM
Sorry, some confusion on original post.
Hello,
We opened new branch ( DSY ) and successfully established site to site vpn tunnel with head office ( HO ).
Head office ( IMI - HO ) already has site to site vpn connection with another datacenter which host application IFS.
Problem is, In new branch ( DSY ) we cannot reach IFS application environment, knowing that we can reach head office network through S2S tunnel using ISP public IP.
All traffic must be routed through HO. I think we are missing some settings in HO FTD.
Any help.
Hopefully attached snapshot can help understand scenario.
Thanks
02-13-2020 10:28 AM
02-13-2020 10:47 AM
Hi RJI
All what you stated first is already done in s2s tunnels. Therefore tunnels works from HO. Issue is from Branch to IFS App.
Agreed may be there is some misconfig in NAT rules in HO.
Attached nat details logs.
Knowing that Branch private network is 10.5.1.1 and IFS is 172.22.4.8.
Thank you,
02-13-2020 10:52 AM
02-13-2020 11:39 AM
02-13-2020 11:47 AM
02-13-2020 01:04 PM
Hi RJI
Attached is the output of packet-tracer from both HO and Branch.
Branch has default route to outsidegateway. And static route with HO networks to outsidegateway, and another static route to IFS with same gateway. Note that in IFS side device is Fortigate FW.
Ipsec has been configured for all tunnels.
02-13-2020 01:09 PM
02-13-2020 10:49 PM
As RJI mentioned, first allow traffic through the ACLs. I would also like to point that on ASA we need to have "same-security-traffic permit intra-interface" to allow traffic coming in and going out on the same interface that need to be configured on the IMI-HO site only (Not sure about FTDs though). And also need to point out the NAT (OUTSIDE,OUTSIDE) configuration on the IMI-HO that RJI already mentioned.
You can find the attached example VPN configuration on ASA for your understanding. (I don't have resources to fire-up FTD to simulate but I have done that with ASAs.)
H2H
### RATE ALL HELPFUL RESPONSES ###
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: