Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
10
Helpful
5
Replies

No internet access

Go to solution
TECH-JEFF
Level 1
Level 1

‎01-19-2018 01:18 PM - edited ‎03-05-2019 09:48 AM

Hi,

 

Just finished setting up SSVPN from a Main office which uses Fortigate 61E and on the branch office uses Cisco 2801 router. The tunnel/connection for both sides are established but on the branch office their ip phones are working coz they connect to the main office but they can't browse the internet. On the brancch office tried ping and tracert they just ended on the Router interface which is also their gateway. It doesn't comes out. Though the router has internet connection can do ping and tracert to URL and DNS. 

The router has a default route going to the WAN IP (gateway) of the branch office. 

Are there anything else I need to check on?

 

Thanks

Jeff

Jefferson Co
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-19-2018 02:14 PM

Jeff

 

We do not yet have enough information to be able to identify what is causing this or to give you good advice about how to solve it. You do tell us that ip phones at the branch do work which tells us that at least that part of the site to site vpn is working. You do not tell us whether the PCs and the phones are in the same vlan/same subnet or are in different ones.

 

Can you tell us about the encryption policy? Is this using traditional vpn with crypto maps etc or is it something like VTI? Does the branch router send all of its traffic (including traffic to the Internet) through the vpn or does it send only traffic with destination in the subnets at the Main office?

 

Can you tell us if the Fortigate at the Main office is configured to receive Internet traffic from the branch and forward it to the Internet? Can you tell us if the Fortigate at the Main office is configured to do address translation for traffic from the branch headed to the Internet?

 

HTH

 

Rick

HTH

Rick

View solution in original post

Go to solution
Julio E. Moisa
VIP
VIP

‎01-19-2018 09:05 PM

Hi 

Have you added the branch's networks into the ACLs allowing the NAT on the fortinet? The fortinet should know how to return a packet toward the branch. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-19-2018 02:14 PM

Jeff

 

We do not yet have enough information to be able to identify what is causing this or to give you good advice about how to solve it. You do tell us that ip phones at the branch do work which tells us that at least that part of the site to site vpn is working. You do not tell us whether the PCs and the phones are in the same vlan/same subnet or are in different ones.

 

Can you tell us about the encryption policy? Is this using traditional vpn with crypto maps etc or is it something like VTI? Does the branch router send all of its traffic (including traffic to the Internet) through the vpn or does it send only traffic with destination in the subnets at the Main office?

 

Can you tell us if the Fortigate at the Main office is configured to receive Internet traffic from the branch and forward it to the Internet? Can you tell us if the Fortigate at the Main office is configured to do address translation for traffic from the branch headed to the Internet?

 

HTH

 

Rick

HTH

Rick

Go to solution
TECH-JEFF
Level 1
Level 1
In response to Richard Burts

‎01-19-2018 11:15 PM

Apologies for the incomplete info, actually the problem has been solved. ok Here's my situation. 

 

Main Branch - Fortigate 61E

Branch Office - Cisco Router 2801

 

The IP phones on the branch office connects to the main office IP PBX server via SSVPN. The issue here is that though the computers on the branch office have IP addresses coming of from the Cisco Router, it can't go online. It gets IP from the router but points to a DNS on the Main Office. I can do UNC path from the branch office to the main, do RDP session, except for browsing. No proxy, no other firewalls blocking. As for the subnet, it's a flat network and no vlan's. 

 

To be honest, this is the first time I've setup SSVPN, as for the crypto maps, not sure what it does or how it works, I copied my config on the article below:

 

https://blog.webernetz.net/ipsec-site-to-site-vpn-fortigate-cisco-router/

 

Which also answers the 3rd paragraph of Richard. What solve the issue are the 3 lines below which I added on the router. 

 

ip nat inside(FastEthernet where the internal IP)

ip nat outside(FastEthernet where the WAN IP)

ip nat inside source list NAT interface FastEthernet0/0 overload

 

Which is answered by Julio Moisa. After putting in these 3 command lines, it did go out of the internet for users in the branch office. I'm sorry for the confusion and lack of details, this was due to the rush and the sense of urgent solution in order to make the customer happy and not to have a long downtime. I really appreciate the response and inputs, really charged it to experience. 

 

Have a great weekend guys and thanks again

Jeff

Jefferson Co
0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to TECH-JEFF

‎01-20-2018 04:52 AM

Hi Jeff,

I'm glad to hear it was resolved, have a great weekend too.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to TECH-JEFF

‎01-20-2018 09:24 AM

Jeff

 

Glad to hear that you resolved the issue. Thanks for letting us know that you solved the problem and that it turned out to be an issue with address translation for Internet traffic on the router.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP

‎01-19-2018 09:05 PM

Hi 

Have you added the branch's networks into the ACLs allowing the NAT on the fortinet? The fortinet should know how to return a packet toward the branch. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card