I have 2 fortinet firewalls (fully patched); fw1 is providing an IPSEC tunnel in transparent mode. beneath this firewall is a fw2, a NAT firewall with a VIP address that has been confirmed to work. This configuration is required for my customers who want to connect to a public address space inside of the tunnel, in order to prevent cross over in IP space. This configuration works great for traffic going outbound to the remote side of the tunnel, but not inbound. While sniffing the traffic, I can see the inbound traffic going out of the fw1, but it is never seen at the fw2.
Cust Net > 10.1.1.100
|
|
|
FW1 >TRANSPARENT IPSEC
|
|
|
FW2 EXT >99.1.1.1.100-VIP
|
FW2 NAT >192.1.1.100-NAT
This was an Arp Cache Problem resolved by making a stic entry for the 3rd firewall on the second firewall.