09-05-2019 08:57 AM
Please see below for the issue
2 firewalls
I have a PC configured to use the Cisco Gateway 10.15.1.1 and I want to ping the VLan 10.10.3.1 on FortiGate
Created a static route through the Cisco
Inside 10.10.3.0 255.255.255.0 GW – 10.15.254
Cannot ping 10.10.3.1 from PC configured with Cisco as Gateway
what am I missing
09-05-2019 09:27 AM
Inside 10.10.3.0 255.255.255.0 GW – 10.15.1.254 <<--this is static route to route to Fortigate
You have rules in ASA to allow Ping ? also you need to also have rules in Fortigate to allow ping from network you pinging.
09-05-2019 10:09 AM
Yes I can ping from the 10.15.1.1 gateway, just not to the 10.10.3.1
09-05-2019 10:21 AM
In the original post you describe a problem when a PC connected to the ASA attempts to ping a resource connected to the Fortigate. There are a number of potential issues which might cause this. In your recent post you seem to be saying that not only is it a problem for the PC to ping but also it is a problem for the ASA to ping those resources. If the ASA is able to ping other things but is not able to ping the resource in 10.10.3.1 then it is not so likely to be an issue with the ASA and more likely to be an issue on the Fortigate.
If there is something here that I am missing or am not understanding correctly then please clarify.
HTH
Rick
09-05-2019 10:39 AM
Thanks Robert,
I will try to clarify.
Static Route 10.10.3.0/24 using 10.15.1.0/24 as interface, with the Gateway being the FortiGate at 10.15.1.254
I need to be able to ping 10.10.3.0/24 from Lan that has gateway of 10.15.1.1.
example my test system is 10.15.1.2 255.255.255.0 10.15.1.1 can ping 10.15.1.254 cannot ping 10.10.3.1 VLan connected to FortiGate.
Add static route(s) on Cisco(.1) for DC-LAN (and others as required) that uses the Fortigate(.254) as the next hop gateway. The static route will be 10.10.3.0/24 network using the 10.15.1.0/24 interface with a gateway of Fortigate (10.15.1.254).
09-05-2019 12:05 PM
since 10.10.3.0 network behind FortiGate, you need to look the logs and FW/ACL rules in the FortiGate and routing from FortiGate 10.10.30.0 back to 10.10.1.X network.
09-06-2019 06:58 AM
Thank you for the explanation. I still find some of what you are saying to be confusing. How can the test system have IP address of 10.15.1.2, with the ASA at 10.15.1.1 and the Fortigate at 10.15.1.254?
If this is actually how it is set up then success in test system ping to 10.15.1.254 is because the test system is pinging a locally connected destination. The test system only needs to arp for the destination address and then ping to it.
And if this is actually how it is set up then there is a potential issue on the ASA. The ping from the test system will be received on some interface (probably the outside interface) and will need to be forwarded out that same interface to get to the FortiGate. That will require that you have enabled same security intra interface. Is this enabled on your ASA?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide