Hi r/networking
I am helping a client implement a network architecture where there are three networks:
- Business Network: Internet access, emails, etc.
- Control Network: Computers that talk to each other, but do NOT ever reach the internet, or machines that have full access to the internet
- DMZ: Remote Server that has limited internet access that can connect to the control network
I have complete control over the FortiGate firewall, but I have 0 control on the internet facing router. So any solutions would need to minimize the involvement of the router. (I have to get the client's IT involved and it's very troublesome).
The idea is that someone anywhere in the world with internet access can access the jump server, which in turn can access the control network. The way this is set up is:
The business network is public facing, so the router/default gateway of that network is the ISP's connection, and thus, has a public IP address. On this Business network, is connected a FortiGate firewall, which is also connected to and dictates control to the DMZ and Control network.
My question is, how can I achieve the desired effect of being able to remote into this Jumpserver?
My idea was this: Use the FortiGate's VPN capabilities to provide an inroad to the DMZ, thus giving access to the jumpserver, and to access this VPN from the internet, forward the custom VPN port from the main router to Fortigate firewall's business network IP.
Here is an image illustrating my idea: https://imgur.com/a/cyX6jQg
This did not work. The VPN connection times out immediately. So here are my next questions;
- Someone familiar with FortiGate firewalls/VPNs, what is the first thing you can see I am doing wrong?
- Is this method even valid? Can this work?
- Minimizing configuration with the business router, what is the best way to achieve this design where a jumpserver in a DMZZ can be remoted into from any computer with internet access?
Thank you for your time.
No comments:
Post a Comment