cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
468
Views
0
Helpful
5
Replies
BHconsultants88
Beginner

Routing Issue between network segments

Hi everyone

 

I hope you can help with this. I've attached a crudely drawn diagram which I hope will help.

 

Summary:

Main office network: 10.0.135.0 /24

Client office network: 10.0.136.0 /24

Legacy network: 10.90.0.0 /16

Client VPN network: 10.136.128.0 /22

 

There are two issues that have me scratching my head.

 

  1. Legacy cannot reach Frankfurt
  2. Client VPN cannot reach Frankfurt

Client Office Network has a core switch with an IP address of 10.0.136.1. All traffic goes out via the Checkpoint. Should the default gateway of this switch be the Checkpoint 10.0.135.6? Would I need static routes to solve the two issues above?

 

Any assistance would be gratefully appreciated.

 

Regards
B

5 REPLIES 5
Meheretab Mengistu
Rising star

Hi B,

I do not see Frankfurt in the diagram or in the network list. Which site is Frankfurt?

 

HTH,
Meheretab

Many thanks for your response.

 

Many apologies, Frankfurt is 10.0.136.0 /24

 

paul driver
VIP Mentor

Hello

I would say for your client network the core switch default would indeed the checkpoint however for you client vpn then they should be routed via the vpn tunnel and not the checkpoint nexthop.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Georg Pauwen
VIP Expert

Hello,

 

is the VPN built between the ASA and the Checkpoint ? What reachability do you have, where do traceroutes stop ? It is hard to pinpoint the issue without seeing the configs of your devices, can you post those ?

Thank you everyone for your feedback so far.

 

I've attached a further (hopefully clearer) diagram. Please see Diagram 1a. This time, I've also added routes that I currently have configured on each device.

 

Routes on Vodafone router:

10.0.136.0               255.255.255.0          10.0.135.1

 

Routes on the Core switch:

10.0.136.0              255.255.255.0          10.0.135.6

10.136.0.0               255.255.0.0          10.0.135.6

 

Routes on Checkpoint:

213.156.18.102        192.168.19.11          255.255.255.255      UGHD 0 0 0 External

192.168.19.0            0.0.0.0                   255.255.255.0          U 0 0 0 External

10.0.135.0               0.0.0.0                    255.255.255.0         U 0 0 0 Internal

89.138.200.0            192.168.19.11          255.255.248.0         UGD 0 0 0 External

10.135.0.0               10.0.135.1               255.255.0.0             UGD 0 0 0 Internal

10.0.0.0                  10.0.135.250            255.0.0.0                UGD 0 0 0 Internal

0.0.0.0                   192.168.19.11          0.0.0.0                    UGD 0 0 0 External

 

The problem:

Users on 10.90.0.0 /16 are unable to access the 10.136.0.0 /16 network. Diagram 1b shows a traceroute from 10.90.0.0/16 to 10.136.128.1. It times out after hitting 10.0.135.1

 

Access the other way works fine. Users on 10.136.0.0 /16 can access 10.90.0.0 /16 fine but the traceroute looks odd to me. It can be seen in Diagram 1c.

 

Would you be able to review the routes I currently have in place and confirm where I'm going wrong please? I'd like to clarify that the routes I currently have in place are correct. Also, would like assistance on what route I need to add on the Fortigate.

 

Many thanks in advance.