cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2043
Views
0
Helpful
9
Replies

Site-to-Site VPN Tunnel Between 2 Remote Sites and ( Through ) Head Office - FTD Managed By FDM

Ahmed.AA
Level 1
Level 1

Hello,

 

We opened new branch ( A ) and successfully established site to site vpn tunnel with head office ( HO ).

Head office ( IMI - HO ) already has site to site vpn connection with another datacenter which host  application IFS.

Problem is, In new branch ( B ) we cannot reach IFS application environment, knowing that we can reach head office network through S2S tunnel using ISP public IP.

 

All traffic must be routed through HO. I think we are missing some settings in HO FTD.

 

Any help.

Hopefully attached snapshot can help understand scenario.

 

Thanks

9 Replies 9

Ahmed.AA
Level 1
Level 1

Sorry, some confusion on original post.

 

Hello,

 

We opened new branch ( DSY ) and successfully established site to site vpn tunnel with head office ( HO ).

Head office ( IMI - HO ) already has site to site vpn connection with another datacenter which host  application IFS.

Problem is, In new branch ( DSY ) we cannot reach IFS application environment, knowing that we can reach head office network through S2S tunnel using ISP public IP.

 

All traffic must be routed through HO. I think we are missing some settings in HO FTD.

 

Any help.

Hopefully attached snapshot can help understand scenario.

 

Thanks

Hi,
In the configuration of the VPN from "DSY Branch" to "IMI HO" you need to include the "IFS App" networks as part of "IMI HO" network, so the branch knows to reach the "IFS App" via "IMI HO". In the VPN configuration between "IMI HO" and "IFS App" you need to specify the "DSY Branch" networks as part of "IMI HO" network.

On the "IMI HO" FTD you will probably also need to define a NAT exemption rule from "DSY Branch" networks to "IFS App" and ensure that this traffic is not natted.

Please provide the output of "show nat detail" and screenshots of the VPN configuration.

HTH

Hi RJI

 

All what you stated first is already done in s2s tunnels. Therefore tunnels works from HO. Issue is from Branch to IFS App.

 

Agreed may be there is some misconfig in NAT rules in HO.

 

Attached nat details logs.

 

Knowing that Branch private network is 10.5.1.1 and IFS is 172.22.4.8. 

 

Thank you,

You'll need a Manual NAT rule from outside to outside, the output on CLI would look something like this:- "nat (outside,outside) source static BRANCH BRANCH destination static IFS IFS"

Obviously you'd create an object for BRANCH and IFS to represent the correct IP addresses.

HTH



Hi RJI

 

That did not work, but was helpful.

Any other ideas about the issue. 

 

See updated nat logs. 

Try running packet-tracer and provide the output.
E.g. "packet-tracer input outside tcp 10.5.1.5 3000 172.22.4.8 80"

Does the Branch even route the traffic to HO? You may need a NAT exemption rule on the branch and IFS FTDs.

Check the output of "show crypto ipsec sa" on all FTDs and confirm that the IPSec SA has been built between the 2 networks.

Hi RJI

Attached is the output of packet-tracer from both HO and Branch.

 

Branch has default route to outsidegateway. And static route with HO networks to outsidegateway, and another static route to IFS with same gateway. Note that in IFS side device is Fortigate FW.

 

Ipsec has been configured for all tunnels.

 

So have you configured the Access Policy to permit traffic from branch (10.5.1.1) to IFS (172.22.4.8) on ALL firewalls? The packet-tracer output confirms traffic is being denied by the default rule on both firewalls.

As RJI mentioned, first allow traffic through the ACLs. I would also like to point that on ASA we need to have "same-security-traffic permit intra-interface" to allow traffic coming in and going out on the same interface that need to be configured on the IMI-HO site only (Not sure about FTDs though). And also need to point out the NAT (OUTSIDE,OUTSIDE) configuration on the IMI-HO that RJI already mentioned. 

 

You can find the attached example VPN configuration on ASA for your understanding. (I don't have resources to fire-up FTD to simulate but I have done that with ASAs.)

Diagram.png

 

H2H

### RATE ALL HELPFUL RESPONSES ###

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: