05-30-2023 09:52 PM
Hi All,
I have a scenario that i have tried dealing with with but out of reach. This is my situation:
I manage an autonomous system-HQ with different physical branches with their own subnet with its own DNS/DHCP. So that means each site has its own vlan for Voice and DATA. On my Core SWX at the HQ, I have a vlan for firewall. I only access straight from the coreswitch-set static IP on my Laptop. Now, i am trying to move from the HQ to one of the branch. The QH to Branch is on a P2P fiber link and has RP of EIGRP.
ANY IDEA ON HOW I CAN REACH THE FIREWALL FROM THE BRANCH?
05-30-2023 10:04 PM
Hello @ipo.peniel_rg,
Setting up a VPN tunnel or configuring site-to-site routing are common approaches to establish connectivity and allow access to devices like the firewall located at the headquarters from branch locations. These solutions provide secure and controlled access to resources across different networks.
05-30-2023 10:37 PM
Thank you So much. Do you know of any guides/setup examples i can use? This would greatly assist.
thank you.
05-30-2023 10:49 PM
05-31-2023 05:58 PM
Fortigate 200E
05-31-2023 01:11 AM
Hi
If I undertood correctlly you do have connectivity between branch and HQ, right?
But, you access the firewall today by connecting the laptop to the core using static IP address? And you want to do the same while you are at the branch? Is that?
Why dont you propagate the firewall's network or IP on the EIGRP toward branch?
Or create a static route on branch poiting to HQ? I suppose the core in HQ can reach the firewall's vlan, right?
05-31-2023 06:04 PM
Your understanding is correct. From the HQ to the Branch routing protocol is EIGRP. I can ping the HQ firewall VLAN gateway but not Firewall IP address nor can i access the firewall. Everything is fine at the HQ.
Can you assist with some steps/guide in configs? I would appreciate this.
06-01-2023 01:27 AM
Hello @ipo.peniel_rg ,
>> From the HQ to the Branch routing protocol is EIGRP. I can ping the HQ firewall VLAN gateway but not Firewall IP address nor can i access the firewall.
You have a Fortigate 200E firewall you need to configure a static route on it for the Branch LAN IP subnet with next-hop = gateway = the HQ firewall VLAN gateway.
In addition to the routing part , being a Firewall you may need to update the firewall rules to allow ping to be successful and other settings to be able to access the Firewall admin GUI from a PC in the branch LAN subnet.
Hope to help
Giuseppe
06-01-2023 02:15 AM
Got it. If you are able to reach the firewall gateway´s but not the firewall, it means the firewall does not know how to reply to Branch.
You need to add route on the firewall and allow the Branch network on the file rules.
What firewall is it?
05-31-2023 02:03 AM
the inter-vlan is end in each
FW of HQ
Router in branch
VLANx-R(branch)----P2P----->FW(HQ)-VLANy
herer there is no inter-vlan between VLANx and VLANy
what you need here is make sure that the FW know VLANx through the p2p link
and Router know the VLANy through p2p link
05-31-2023 03:52 AM
Several approaches come to mind, but choosing one depends on WHY you access the FW as you describe.
Basically, this form of access might range from incompetent network design to for "security".
05-31-2023 06:08 PM
please share your thoughts.
06-01-2023 02:27 AM - edited 06-01-2023 03:25 AM
My thoughts?
I'm unfamiliar with a Fortigate, but I've also been thinking much along the lines of @Giuseppe Larosa reply. I.e. FW might need a route statement, gateway statement or, if possible, join your EIGRP. This so that the FW can get beyond its VLAN.
But, I'm also thinking it's possible FW VLAN transit access might be blocked by an ACL.
From all you described, it sounds like topology is in place for you to be able to access FW from other than direct connection to the FW VLAN, but since you cannot, normal causes would be missing "routing" info or intentional security blocking.
What's still a bit unclear is how you obtain access now. When you use your static IP, do you need to connect to a specific switch port, or ports, too?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide