Re: Static Route Between ASA and FortiGate

tunderwood@morbern.com · ‎09-05-2019

Please see below for the issue

2 firewalls

Cisco ASA – 10.15.1.1
FortiGate 301E – 10.15.1.254
VLAN on FortiGate anylan 10.10.3.1

I have a PC configured to use the Cisco Gateway 10.15.1.1 and I want to ping the VLan 10.10.3.1 on FortiGate

Created a static route through the Cisco

Inside 10.10.3.0 255.255.255.0 GW – 10.15.254

Cannot ping 10.10.3.1 from PC configured with Cisco as Gateway

what am I missing

balaji.bandi · ‎09-05-2019

Inside 10.10.3.0 255.255.255.0 GW – 10.15.1.254 <<--this is static route to route to Fortigate

You have rules in ASA to allow Ping ? also you need to also have rules in Fortigate to allow ping from network you pinging.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tunderwood@morbern.com · ‎09-05-2019

Yes I can ping from the 10.15.1.1 gateway, just not to the 10.10.3.1

Richard Burts · ‎09-05-2019

In the original post you describe a problem when a PC connected to the ASA attempts to ping a resource connected to the Fortigate. There are a number of potential issues which might cause this. In your recent post you seem to be saying that not only is it a problem for the PC to ping but also it is a problem for the ASA to ping those resources. If the ASA is able to ping other things but is not able to ping the resource in 10.10.3.1 then it is not so likely to be an issue with the ASA and more likely to be an issue on the Fortigate.

If there is something here that I am missing or am not understanding correctly then please clarify.

HTH

Rick

HTH

Rick

tunderwood@morbern.com · ‎09-05-2019

Thanks Robert,

I will try to clarify.

Static Route 10.10.3.0/24 using 10.15.1.0/24 as interface, with the Gateway being the FortiGate at 10.15.1.254

I need to be able to ping 10.10.3.0/24 from Lan that has gateway of 10.15.1.1.

example my test system is 10.15.1.2 255.255.255.0 10.15.1.1 can ping 10.15.1.254 cannot ping 10.10.3.1 VLan connected to FortiGate.

Add static route(s) on Cisco(.1) for DC-LAN (and others as required) that uses the Fortigate(.254) as the next hop gateway. The static route will be 10.10.3.0/24 network using the 10.15.1.0/24 interface with a gateway of Fortigate (10.15.1.254).

balaji.bandi · ‎09-05-2019

since 10.10.3.0 network behind FortiGate, you need to look the logs and FW/ACL rules in the FortiGate and routing from FortiGate 10.10.30.0 back to 10.10.1.X network.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎09-06-2019

Thank you for the explanation. I still find some of what you are saying to be confusing. How can the test system have IP address of 10.15.1.2, with the ASA at 10.15.1.1 and the Fortigate at 10.15.1.254?

If this is actually how it is set up then success in test system ping to 10.15.1.254 is because the test system is pinging a locally connected destination. The test system only needs to arp for the destination address and then ping to it.

And if this is actually how it is set up then there is a potential issue on the ASA. The ping from the test system will be received on some interface (probably the outside interface) and will need to be forwarded out that same interface to get to the FortiGate. That will require that you have enabled same security intra interface. Is this enabled on your ASA?

HTH

Rick

HTH

Rick