cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
244
Views
5
Helpful
6
Replies
moamen1230
Beginner

can't access internet via core switch

Hello

I have ws-c3750x-48 core switch. All i need is that all Vlans on my network can access internet, I connected FortiGate to interface 1 on core switch 

Fortigate Lan interface ip is 10.0.0.1/24

when i assign interface 1 on core switch as a trunk interface neither core or clients (other vlans) can reach fortigate
but when i assign it to the same vlan of core switch (vlan 100 > 10.0.0.0) core switch can reach fortigate but others can't.

here are the screenshots when i assign interface 1 to vlan 100

ping to forti.PNGping to internet.PNG

 

Running Configuration and Routing table are attached.

 

Thanks 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Giuseppe Larosa
Hall of Fame Master

Hello @moamen1230 ,

using an access port in Vlan 100 to connect to Fortigate FW is correct as it is the correct IP subnet to use and with access port the frames are not tagged ( if using trunk they are tagged with Vlan id 100 on switch side).

 

However, you need to add:

on the Fortigate static routes to reach all the internal subnets

with next-hop 10.0.0.2

 

You need also to configure NAT for all internal subnets to allow them access to the Internet.

 

Simply put the configuration on the core switch is correct and complete you need to complete the configuration on the FW.

 

Hope to help

Giuseppe

 

View solution in original post

6 REPLIES 6
balaji.bandi
VIP Expert

High level i do not see any configuration issue related to switching.

Do you have NAT in Fortinet configured for all the VLAN IP address you configured?

 

Do you have stack of 7 switeches / as config show 7/0/1 ( this is access port, what is other side configured as Trunk ? fortnet side ?)

 

interface GigabitEthernet7/0/1
description Fortigate
switchport access vlan 100
switchport mode access

 

also in DHCP try to use DNS as 8.8.8.8 instead of 10.0.0.1

 

Configured  NAT :

 

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/421070/installing-a-fortigate-in-nat-mode

 



BB


*** Rate All Helpful Responses ***

core switch can reach forti and internet because they are in the same subnet.

i can't reach forti from any other subnets.

is the issue the routing between vlans on core ?

i think when other subnets can reach forti they can access the internet.

client.PNGclient2.PNG

Giuseppe Larosa
Hall of Fame Master

Hello @moamen1230 ,

using an access port in Vlan 100 to connect to Fortigate FW is correct as it is the correct IP subnet to use and with access port the frames are not tagged ( if using trunk they are tagged with Vlan id 100 on switch side).

 

However, you need to add:

on the Fortigate static routes to reach all the internal subnets

with next-hop 10.0.0.2

 

You need also to configure NAT for all internal subnets to allow them access to the Internet.

 

Simply put the configuration on the core switch is correct and complete you need to complete the configuration on the FW.

 

Hope to help

Giuseppe

 

View solution in original post

core switch can reach forti and internet because they are in the same subnet.

i can't reach forti from any other subnets.

i think when other subnets can reach forti they can access the internet.
is the issue the routing between vlans on core ?

client.PNGclient2.PNG

paul driver
VIP Mentor

Hello


@moamen1230 wrote:

i think when other subnets can reach forti they can access the internet.
is the issue the routing between vlans on core ?


 

The FortiGate FW needs to be performing NAT for those other vlans and also requires to have static routes back towards the switch for the them



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
moamen1230
Beginner

thank you all..

the issue was static routes on Fortigate FW