This is the recommended permanent fix option, you don't want to have a subnet connected to the FTD containing both end-hosts and routing equipment or you'll continue to encounter issues like this.Ĭonfigure TCP state bypass on your FTD using FlexConfig. You have a few options to fix this if this is the case:Ĭonfigure a transit subnet between your FTD/Fortigate that contains ONLY the FTD and Fortigate, which is used to pass all traffic between them. This will also affect ICMP and DNS replies.
Your forward traffic will go PC > Cisco FTD > Fortigate > RDP server, but your return traffic will go RDP Server > Fortigate > PC because the Fortigate has a direct route to the PC on its subnet. The FTD (unlike the Meraki firewall) will expect both directions of any TCP session to be passing through it. You're most likely encountering TCP state bypass issues. I thought it was there before but after a good nights sleep, I double checked again and saw that it wasn't. The internet issue was solved by simply adding the machines/VM subnet to the ACL for the outside interface. The issue with RDP, we created a NAT to have the traffic from the main subnet to be translated to the inside interface so that traffic from the FTD perspective is coming from the inside interface to the machines/VM subnet.
**SOLVED: Both of these issues were resolved with new rules. Translated Packet: Dest Interface: outside 1/1 || Src address: VM/machines subnets || Src Port: any || Dest Address: IP address of Firepower || Dest Port: Any Original Packet: Src Interface: inside 1/2 || Src address: VM/machines subnets || Src Port: any || Dest Address: IP address of Firepower || Dest Port: Any NAT rule to get machine/VM subnet out to the internet: I created a NAT for them to reach the outside gateway but that didn't change anything. The machines behind the Fortigate have also seem to have loss access to the internet. SOURCE: Zone: Inside || Networks: my subnet || Ports: AnyĭESTINATION: Zone: inside || Networks: machines/VMs || Ports: Any A Wireshark of an attempted RDP shows the initial connection is allowed (SYN, SYN-ACK) but then I get a RST, I am assuming from the Firepower for trying to get to 3389.
I have ACL's to connect the subnets and allow any any ports. I am able to ping those subnets behind that Fortigate but I cannot RDP to them. My PC > Switch 1 > Firepower 1120 gi 1/2 > Switch 1 > Fortigate > VMs/Machines. We also have a Fortigate that manages several subnets that are used by machines/VM's behind the Fortigate. Recently installed a new Firepower (running FTD, managed by FDM) to replace our Meraki.
0 kommentar(er)
