Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1719
Views
5
Helpful
6
Replies

can't access internet via core switch

Go to solution
moamen1230
Level 1
Level 1

‎04-18-2021 01:40 AM

Hello

I have ws-c3750x-48 core switch. All i need is that all Vlans on my network can access internet, I connected FortiGate to interface 1 on core switch 

Fortigate Lan interface ip is 10.0.0.1/24

when i assign interface 1 on core switch as a trunk interface neither core or clients (other vlans) can reach fortigate
but when i assign it to the same vlan of core switch (vlan 100 > 10.0.0.0) core switch can reach fortigate but others can't.

here are the screenshots when i assign interface 1 to vlan 100

ping to forti.PNGping to internet.PNG

 

Running Configuration and Routing table are attached.

 

Thanks 

 

 

Preview file
2 KB
Preview file
12 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-18-2021 01:57 AM

Hello @moamen1230 ,

using an access port in Vlan 100 to connect to Fortigate FW is correct as it is the correct IP subnet to use and with access port the frames are not tagged ( if using trunk they are tagged with Vlan id 100 on switch side).

 

However, you need to add:

on the Fortigate static routes to reach all the internal subnets

with next-hop 10.0.0.2

 

You need also to configure NAT for all internal subnets to allow them access to the Internet.

 

Simply put the configuration on the core switch is correct and complete you need to complete the configuration on the FW.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-18-2021 01:56 AM - edited ‎04-18-2021 01:57 AM

High level i do not see any configuration issue related to switching.

Do you have NAT in Fortinet configured for all the VLAN IP address you configured?

 

Do you have stack of 7 switeches / as config show 7/0/1 ( this is access port, what is other side configured as Trunk ? fortnet side ?)

 

interface GigabitEthernet7/0/1
description Fortigate
switchport access vlan 100
switchport mode access

 

also in DHCP try to use DNS as 8.8.8.8 instead of 10.0.0.1

 

Configured  NAT :

 

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/421070/installing-a-fortigate-in-nat-mode

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
moamen1230
Level 1
Level 1
In response to balaji.bandi

‎04-18-2021 03:00 AM

core switch can reach forti and internet because they are in the same subnet.

i can't reach forti from any other subnets.

is the issue the routing between vlans on core ?

i think when other subnets can reach forti they can access the internet.

client.PNGclient2.PNG

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-18-2021 01:57 AM

Hello @moamen1230 ,

using an access port in Vlan 100 to connect to Fortigate FW is correct as it is the correct IP subnet to use and with access port the frames are not tagged ( if using trunk they are tagged with Vlan id 100 on switch side).

 

However, you need to add:

on the Fortigate static routes to reach all the internal subnets

with next-hop 10.0.0.2

 

You need also to configure NAT for all internal subnets to allow them access to the Internet.

 

Simply put the configuration on the core switch is correct and complete you need to complete the configuration on the FW.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
moamen1230
Level 1
Level 1
In response to Giuseppe Larosa

‎04-18-2021 03:02 AM

core switch can reach forti and internet because they are in the same subnet.

i can't reach forti from any other subnets.

i think when other subnets can reach forti they can access the internet.
is the issue the routing between vlans on core ?

client.PNGclient2.PNG

0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-18-2021 03:37 AM - edited ‎04-18-2021 03:39 AM

Hello

@moamen1230 wrote:

i think when other subnets can reach forti they can access the internet.
is the issue the routing between vlans on core ?

 

The FortiGate FW needs to be performing NAT for those other vlans and also requires to have static routes back towards the switch for the them


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
moamen1230
Level 1
Level 1

‎04-18-2021 06:25 AM

thank you all..

the issue was static routes on Fortigate FW

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card