SOLVED

question about Route tables and network virtual appliance

%3CLINGO-SUB%20id%3D%22lingo-sub-2036138%22%20slang%3D%22en-US%22%3Equestion%20about%20Route%20tables%20and%20network%20virtual%20appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2036138%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20setting%20up%20routing%20in%20Azure%20using%20a%20Network%20Virtual%20Appliance%20firewall.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20all%20of%20the%20routing%20working%20to%20and%20from%20the%20virtual%20gateway%20to%20on%20perm%2C%20however%20I%20am%20struggling%20to%20configure%20the%20Routing%20to%20the%20internet%20for%20azure%20internal%20hosts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20internal%20host%20and%20firewall%20are%20each%20in%20their%20own%20subnets.%2010.0.7.0%2F24%20and%2010.0.1.0%2F24%20respectively.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20the%20NIC's%20associated%20with%20the%20firewall%20have%20forwarding%20enabled%20in%20Azure%20and%20port%204%20has%20a%20public%20IP%20assigned.%20There%20are%20no%20NSG%E2%80%99s%20in%20place.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20internal%20host%20subnet%20route%20table%20has%20a%20route%20for%200.0.0.0%2F0%20with%20a%20destination%20of%20the%20firewall%20interface%20on%20port%202%20(10.0.1.5)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20firewall%20has%20a%20route%20for%200.0.0.0%2F0%20to%20its%20gateway%2010.0.1.1%20via%20port%204%20(10.0.1.7)%20and%20a%20route%20for%2010.0.7.0%2F24%20to%20its%20gateway%2010.0.1.1%20via%20port%202%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20firewall%20also%20has%20a%20policy%20allowing%20traffic%20on%2010.0.1.5%20and%20nating%20it%20out%20port%204%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20that%20the%20firewall%20is%20receiving%20and%20allowing%20the%20traffic%20to%20the%20internet%20however%2C%20there%20is%20still%20no%20internet%20connectivity%20on%20the%20internal%20host.%3C%2FP%3E%3CP%3EI%E2%80%99m%20wondering%20the%20firewall%20subnet%20need%20a%20route%20table%2C%20however%20I%20cannot%20figure%20out%20what%20routes%20I%20would%20%26nbsp%3Bconfigure%20without%20looping%20the%20traffic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2037755%22%20slang%3D%22en-US%22%3ERe%3A%20question%20about%20Route%20tables%20and%20network%20virtual%20appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2037755%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F540591%22%20target%3D%22_blank%22%3E%40ibrahimambodji%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20you%20reply%20I%20attached%20a%20diagram%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20not%20tried%20the%20troubleshooting%20tools.%20I%20will%20try%20them%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2040556%22%20slang%3D%22en-US%22%3ERe%3A%20question%20about%20Route%20tables%20and%20network%20virtual%20appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2040556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F540591%22%20target%3D%22_blank%22%3E%40ibrahimambodji%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20a%20fortigate%20Appliance%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOut%20design%20calls%20for%20all%20internet%20bound%20vnet%20traffic%20to%20be%20routed%20through%20the%20same%20interface.%20so%20the%20fortigate%20is%20using%20a%20firewall%20policy%20to%20receive%20traffic%20on%20the%2010.0.1.5%20interface%20and%20and%20send%20it%20out%20the%2010.0.1.7%20interface.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%2010.0.1.7%20interface%20has%20a%20public%20ip%20attached%20to%20it%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20noticed%20that%20the%20traffic%20is%20being%20routed%20to%20the%20internet%2C%20it%20seems%20that%20is%20just%20not%20coming%20back%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20each%20attempt%20I%20see%20the%20same%20three%20events%20in%20the%20firewall%20log%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccept%20session%20start%3C%2FP%3E%3CP%3EAccept%20IP%20Connection%20Error%26nbsp%3B%3C%2FP%3E%3CP%3EAccept%20Session%20timeout%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20a%20bit%20further%20I%20see%20that%20the%20error%20indicates%20that%20the%20gate%20is%20not%20receiving%20a%20reply%20from%20the%20started%20session%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fkb.fortinet.com%2Fkb%2Fmicrosites%2Fsearch.do%3Fcmd%3DdisplayKC%26amp%3BdocType%3Dkc%26amp%3BexternalId%3DFD39321%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Eip-conn%20traffic%20action%20in%20logs%20(fortinet.com)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20chance%20this%20is%20similar%20to%20your%20issue%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm setting up routing in Azure using a Network Virtual Appliance firewall. 

 

I have all of the routing working to and from the virtual gateway to on perm, however I am struggling to configure the Routing to the internet for azure internal hosts.

 

The internal host and firewall are each in their own subnets. 10.0.7.0/24 and 10.0.1.0/24 respectively. 

 

All the NIC's associated with the firewall have forwarding enabled in Azure and port 4 has a public IP assigned. There are no NSG’s in place.

 

The internal host subnet route table has a route for 0.0.0.0/0 with a destination of the firewall interface on port 2 (10.0.1.5)

 

The firewall has a route for 0.0.0.0/0 to its gateway 10.0.1.1 via port 4 (10.0.1.7) and a route for 10.0.7.0/24 to its gateway 10.0.1.1 via port 2  

The firewall also has a policy allowing traffic on 10.0.1.5 and nating it out port 4 

 

I can see that the firewall is receiving and allowing the traffic to the internet however, there is still no internet connectivity on the internal host.

I’m wondering the firewall subnet need a route table, however I cannot figure out what routes I would  configure without looping the traffic.

 

 

 

Thoughts? 

 

 

7 Replies

Hi i think you need to draw a diagram so we can see all the flows and try to identify what's wrong . By the way have you tried  the native network troubleshooting tools : 

 

IP Flow Verify 

Connection Monitor 

Effective Security Rules 

Effective routes 

@ibrahimambodji 

 

Thanks for you reply I attached a diagram 

 

I have not tried the troubleshooting tools. I will try them

@hobbssj 

 

It's more clear   

 

0.0.0.0/0 -----> 10.0.1.5   : Ok you are sending traffic  to the private IP of the Firewall 

but 10.0.0.1.5 have no way to send the traffic to the Internet ( I don't see any public IP attached to this interface ). The Public Facing Subnet should have both private and public . 

 

Can you try to change the  route to this : 0.0.0.0/0 -------->10.0.1.7 and see if in the Host you can see the Internet .  

What is the type of NVA you are using Fortinet Palo Alto  Checkpoint ?  

I've already deployed a fortinet next gen firewall and the issue i faced was similar 

may be there is some specific  guidelines from your vendor .

 

 

@ibrahimambodji 

 

We are using a fortigate Appliance 

 

Out design calls for all internet bound vnet traffic to be routed through the same interface. so the fortigate is using a firewall policy to receive traffic on the 10.0.1.5 interface and and send it out the 10.0.1.7 interface.

 

The 10.0.1.7 interface has a public ip attached to it

 

I have noticed that the traffic is being routed to the internet, it seems that is just not coming back

 

On each attempt I see the same three events in the firewall log 

 

Accept session start

Accept IP Connection Error 

Accept Session timeout 

 

Looking a bit further I see that the error indicates that the gate is not receiving a reply from the started session 

 

ip-conn traffic action in logs (fortinet.com)

 

Any chance this is similar to your issue?

@hobbssj 

 

No it's not the same , this one seems more complex  

 

I think you need to review the doc on network interfaces and routes 

Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library

and also the use of public interfaces  

Azure Cookbook | FortiGate / FortiOS 6.2.0 | Fortinet Documentation Library

 

Also network watcher can give more inputs in Azure side . 

 

best response confirmed by hobbssj (Occasional Contributor)
Solution

@ibrahimambodji 

 

Got this resolved, 

 

the fortigate does not support mutiple interfaces in the same subnet, I ended up putting the interfaces in the host subnets and it worked. 

 

 

@hobbssj 

 

Awsome,  Thanks for the feedback