Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
4
Replies

Internet PBR and ACLs

PTJarvis06
Level 1
Level 1

‎01-19-2011 07:19 AM - edited ‎03-06-2019 03:04 PM

Hello.

I would like to route Internet traffic through a FortiGate and then to an ADSL connection.
The remaining traffic should route normally to through the same FortiGate (different interface) to a router.
The Router is 10.0.0.1/24
The Router Fortigate is 10.0.0.3/24
The ADSL Fortigate is 10.0.0.4/24
The Core Switch is 10.0.0.5/24

The Core Switch configuration is as follows:

C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE

The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

interface Vlan1
description Management
ip address 10.0.0.5 255.255.255.0
ip policy route-map TEST

ip route 0.0.0.0 0.0.0.0 10.0.0.1

access-list 170 permit tcp 10.0.0.0 0.0.0.255 any eq www
access-list 170 permit tcp 10.0.0.0 0.0.0.255 any eq 8080
access-list 170 permit tcp 10.0.0.0 0.0.0.255 any eq ftp
access-list 170 permit tcp 10.0.0.0 0.0.0.255 any eq 443
access-list 180 permit tcp 10.0.0.0 0.0.0.255 any
access-list 180 permit udp 10.0.0.0 0.0.0.255 any
access-list 180 permit ip 10.0.0.0 0.0.0.255 any
access-list 180 permit icmp 10.0.0.0 0.0.0.255 any

route-map TEST permit 10
description FWD WEB TRAFFIC
match ip address 170
set ip next-hop 10.0.0.4

route-map TEST permit 20
description FWD NORMAL TRAFFIC
match ip address 180

ip local policy route-map TEST

We have proven the Fortigate is working correctly, can anyone please help to see why this is not working please?

Thank you

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎01-19-2011 08:35 AM

How are you verifying that it is not working ?

Also you do not need the 2nd route-map entry as if there is no match in the first entry then the routing table is used and presumably the other interface on the fortinet for none internet traffic is 10.0.0.1 ?

Are you sure the fortinet knows to send some traffic via the ADSL link and some not because PBR on the switch will still send all traffic to the fortinet, just on different interfaces ?

Jon

0 Helpful

PTJarvis06
Level 1
Level 1
In response to Jon Marshall

‎01-20-2011 12:53 AM

Hi Jon.

I have attached a network diagram to this reply.

I know that this is not working, as we attached a PC (10.0.0.100/24) to the Core Switch.

If you hard set the proxy settings to port 80 & the IP Address of the Fortingate IP Address 10.0.0.4/24, the Internet works fine.

To work correctly, the proxy settings should be removed completely and the PC should still be able to browse to the Internet.

It doesn't.

Paul J.

78973-LIB.vsd.zip
0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to PTJarvis06

‎01-20-2011 12:57 AM

Hi Paul,

Could you post your diagramm as a jpeg please, not everybody(including me) can read visio files.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

PTJarvis06
Level 1
Level 1
In response to cadet alain

‎01-20-2011 01:04 AM

Apologies....

50 KB
0 Helpful
Customers Also Viewed These Support Documents