Re: Routing Issue between network segments

BHconsultants88 · ‎05-07-2020

Hi everyone

I hope you can help with this. I've attached a crudely drawn diagram which I hope will help.

Summary:

Main office network: 10.0.135.0 /24

Client office network: 10.0.136.0 /24

Legacy network: 10.90.0.0 /16

Client VPN network: 10.136.128.0 /22

There are two issues that have me scratching my head.

Legacy cannot reach Frankfurt
Client VPN cannot reach Frankfurt

Client Office Network has a core switch with an IP address of 10.0.136.1. All traffic goes out via the Checkpoint. Should the default gateway of this switch be the Checkpoint 10.0.135.6? Would I need static routes to solve the two issues above?

Any assistance would be gratefully appreciated.

Regards
B

Meheretab Mengistu · ‎05-07-2020

Hi B,

I do not see Frankfurt in the diagram or in the network list. Which site is Frankfurt?

HTH,
Meheretab

BHconsultants88 · ‎05-08-2020

Many thanks for your response.

Many apologies, Frankfurt is 10.0.136.0 /24

paul driver · ‎05-08-2020

Hello

I would say for your client network the core switch default would indeed the checkpoint however for you client vpn then they should be routed via the vpn tunnel and not the checkpoint nexthop.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎05-08-2020

Hello,

is the VPN built between the ASA and the Checkpoint ? What reachability do you have, where do traceroutes stop ? It is hard to pinpoint the issue without seeing the configs of your devices, can you post those ?

BHconsultants88 · ‎05-16-2020

Thank you everyone for your feedback so far.

I've attached a further (hopefully clearer) diagram. Please see Diagram 1a. This time, I've also added routes that I currently have configured on each device.

Routes on Vodafone router:

10.0.136.0 255.255.255.0 10.0.135.1

Routes on the Core switch:

10.0.136.0 255.255.255.0 10.0.135.6

10.136.0.0 255.255.0.0 10.0.135.6

Routes on Checkpoint:

213.156.18.102 192.168.19.11 255.255.255.255 UGHD 0 0 0 External

192.168.19.0 0.0.0.0 255.255.255.0 U 0 0 0 External

10.0.135.0 0.0.0.0 255.255.255.0 U 0 0 0 Internal

89.138.200.0 192.168.19.11 255.255.248.0 UGD 0 0 0 External

10.135.0.0 10.0.135.1 255.255.0.0 UGD 0 0 0 Internal

10.0.0.0 10.0.135.250 255.0.0.0 UGD 0 0 0 Internal

0.0.0.0 192.168.19.11 0.0.0.0 UGD 0 0 0 External

The problem:

Users on 10.90.0.0 /16 are unable to access the 10.136.0.0 /16 network. Diagram 1b shows a traceroute from 10.90.0.0/16 to 10.136.128.1. It times out after hitting 10.0.135.1

Access the other way works fine. Users on 10.136.0.0 /16 can access 10.90.0.0 /16 fine but the traceroute looks odd to me. It can be seen in Diagram 1c.

Would you be able to review the routes I currently have in place and confirm where I'm going wrong please? I'd like to clarify that the routes I currently have in place are correct. Also, would like assistance on what route I need to add on the Fortigate.

Many thanks in advance.