Fortinet black logo

Handbook

Static routing example

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:177888
Download PDF

Static routing example

This is an example of a typical small network configuration that uses only static routing.

This network is in a dental office that includes a number of dentists, assistants, and office staff. The size of the office isn't expected to grow significantly in the near future, and the network usage is very stable (there are no new applications being added to the network).

The users on the network are:

  • Administrative staff: Access to local patient records to perform online billing
  • Dentists: Access and update local patient records to research online from desk
  • Assistants: Access and update local patient records in exam rooms

The distinction here is mainly that only the administrative staff and dental office need access to the Internet. All other traffic is local and doesn't need to leave the local network. Routing is only required for the outbound traffic and the computers that have valid outbound traffic.

Configuring routing only on computers that need it acts as an additional layer of security by helping prevent malicious traffic from leaving the network.

Network layout and assumptions

The computers on the network are administrative staff computers, dental office computers, and dental exam room computers. While there are other devices on the local network, such as printers, they don't need Internet access or any routing.

The networked office equipment includes one PC for administrative staff, 3 PCs for dentists, and 5 PCs in the exam rooms. There's also a network printer and a router on the network.

Assumptions about these computers and network include:

  • The FortiGate is a model with interfaces labeled port1 and port2.
  • The FortiGate has been installed and is configured in NAT mode.
  • VDOMs aren't enabled.
  • The computers on the network are running MS Windows software.
  • Any hubs required in the network aren't shown in the network diagram.
  • The network administrator has access to the ISP IP addresses and is the super_admin administrator on the FortiGate.
Static routing example device names, IP addresses, and level of access

Device name

IP address

Need external access?

Router

192.168.10.1

Yes

Admin

192.168.10.11

Yes

Dentist1-3

192.168.10.21-23

Yes

Exam1-5

192.168.10.31-35

No

Printer

192.168.10.41

No

General configuration steps

The steps to configuring routing on this network are:

  1. Get your ISP information such as DNS, gateway, etc.
  2. Configure the FortiGate
  3. Configure the PCs for the administrator and dentists
  4. Testing network configuration

Get your ISP information such as DNS, gateway, etc.

Your local network connects to the Internet through your Internet Service Provider (ISP). They have IP addresses that you need to configure your network and routing.

The addresses that you need for routing are your assigned IP address, DNS servers, and the gateway.

Configure the FortiGate

The FortiGate has two interfaces in use: one connected to the internal network and one connected to the external network. Port1 is the internal interface and port2 is the external interface.

To configure the FortiGate:

  1. Configure the internal interface (port1)
  2. Configure the external interface (port2)
  3. Configure networking information
  4. Configure basic security policies
  5. Configure static routing

Configure the internal interface (port1)

To configure the internal interface (port1) - GUI:
  1. Go to Network > Interfaces. Highlight port1 and select Edit.
  2. Enter the following information:

Addressing mode

Manual

IP/Network Mask

172.100.1.1/255.255.255.0

Administrative Access

HTTPS, PING, TELNET

Description

Internal network

To configure the internal interface (port1) - CLI:

config system interface

edit port1

set IP 192.168.10.1 255.255.255.0

set allowaccess https ping telnet

set description “internal network”

next

end

Configure the external interface (port2)

The external interface connects to your ISP network. You need to know the IP addresses in their network that you should connect to. In this example, the address that the ISP gave you is 172.100.20.20, which will connect to the gateway at 172.100.20.5 on their network, and their DNS servers are 172.11.22.33 and 172.11.22.34.

To configure the internal interface (port2) - GUI:
  1. Go to Network > Interfaces. Highlight port2 and select Edit.
  2. Enter the following:

Addressing mode

Manual

IP/Network Mask

172.100.20.20/255.255.255.0

Administrative Access

HTTPS, PING, TELNET

Description

Internal network

To configure the internal interface (port2) - CLI:

configure system interface

edit port2

set IP 172.100.20.20 255.255.255.0

set allowaccess https ping telnet

set description “internal network”

next

end

Configure networking information

Networking information includes the gateway and DNS servers. A FortiGate requires a connection to the Internet for antivirus and other periodic updates.

To configure networking information - GUI:
  1. Go to Network > DNS.
  2. Enter the primary and secondary DNS addresses.
  3. Select Apply.
To configure networking information - CLI:

config system global

set dns_1 172.11.22.33

set dns_2 172.11.22.34

end

Configure basic security policies

For traffic to flow between the internal and external ports in both directions, as a minimum, two security policies are required. More can be used to further limit or direct traffic, as needed, but won't be included here.

Before configuring the security policies, a firewall address group is configured for the PCs that are allowed Internet access. This prevents a PC without Internet privileges from accessing the Internet.

The security policy assumptions are:

  • For added security, only the basic networking services are listed as allowed. Others can easily be added as users require them.
  • In this example, to keep things simple, both incoming and outgoing security policies are the same. In a real network there are applications that are allowed out but not in, and vice versa.
  • Endpoint control has been enabled to ensure that all computers on the local network are running FortiClient and those installs are up to date. This feature ensures added security on your local network without the need for the network administrator to continually bother users to update their software. The FortiGate can store an up to date copy of the FortiClient software and offer a URL to it for users to install it if they need to.
To configure security policies – GUI:
  1. Go to Policy & Objects > Addresses.
  2. Create a new Firewall Address entry for each of:
  3. PC Name

    IP Address

    Interface

    Admin

    192.168.10.11

    port1

    Dentist1

    192.168.10.21

    port1

    Dentist2

    192.168.10.22

    port1

    Dentist3

    192.168.10.23

    port1

  4. Go to Policy & Objects > Addresses.
  5. Select the dropdown arrow next to Create New and select Address Group.
  6. Name the group Internet_PCs.
  7. Add Admin, Dentist1, Dentist2, and Dentist3 as members of the group.
  8. Select OK.
  9. Go to Policy & Objects > IPv4 Policy.
  10. Select Create New.
  11. Enter the following: DH - port2(external) -> port1(internal)
  12. Incoming Interface

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    Internet_PCs

    Schedule

    always

    Service

    Multiple.

    Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.

    Action

    ACCEPT

    Log Allowed Traffic

    Enabled

  13. Select OK.
  14. Select Create New.
  15. Enter the following:
  16. Incoming Interface

    port1

    Outgoing Interface

    port2

    Source

    Internet_PCs

    Destination

    all

    Schedule

    always

    Service

    Multiple.

    Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.

    Action

    ACCEPT

    Log Allowed Traffic

    Enabled

  17. Select OK.
To configure security policies - CLI:

config firewall address

edit "Admin"

set associated-interface "port1"

set subnet 192.168.10.11 255.255.255.255

next

edit "Dentist1"

set associated-interface "port1"

set subnet 192.168.10.21 255.255.255.255

next

edit "Dentist2"

set associated-interface "port1"

set subnet 192.168.10.22 255.255.255.255

next

edit "Dentist3"

set associated-interface "port1"

set subnet 192.168.10.23 255.255.255.255

end

config firewall addrgrp

edit Internet_PCs

set member Admin Dentist1 Dentist2 Dentist3

end

config firewall policy

edit 1

set srcintf port1

set dstintf port2

set srcaddr Internet_PCs

set dstaddr all

set action accept

set schedule always

set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"

set logtraffic enable

set label "Section2"

set endpoint-restrict-check no-av db-outdated

next

edit 2

set srcintf port2

set dstintf port1

set srcaddr all

set dstaddr Internet_PCs

set action accept

set schedule always

set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"

set logtraffic enable

set label "Section2"

set endpoint-restrict-check no-av db-outdated

next

end

Adding FortiClient enforcement to interfaces

You can enforce the use of FortiClient on individual interfaces.

In the FortiGate GUI, select Network > Interfaces and choose an interface. Under the Admission Control heading, you can enable the Allow FortiClient Connections setting. Once you enable this setting, two more options become visible: Discover Clients (Broadcast) and FortiClient Enforcement. When you enable FortiClient enforcement, you enforce that in order for incoming traffic to pass through that interface, it must be initiated by a device running FortiClient.

Once you enforce the use of FortiClient on the interface, you should also configure FortiClient profiles for the incoming connections. You can also set up any exemptions that are needed. Just below the FortiClient Enforcement option are fields for Exempt Sources and Exempt Destinations/Services. These can be selected from address or services objects already configured on the FortiGate.

In the CLI, use the following commands:

config system interface

edit port1

set listen-forticlient-connection [enable|disable]

set endpoint-compliance [enable|disable]

next

end

Configure static routing

With the rest of the FortiGate configured, static routing is the last step before moving on to the rest of the local network. All traffic on the local network will be routed according to this static routing entry.

To configure Fortinet static routing - GUI:
  1. Go to Network > Static Routes.
  2. Select the top route on the page and then select Edit.
  3. Enter the following information:
  4. Destination

    172.100.20.5

    Interface

    port2

    Gateway Address

    172.100.20.5

    Administrative Distance

    10

  5. Select OK.
To configure Fortinet unit static routing - CLI:

configure routing static

edit 1

set gateway 172.100.20.5

set distance 10

set device port2

set dst 0.0.0.0

next

end

Configure the PCs for the administrator and dentists

After the router is configured, we need to configure the computers that require Internet access. These computers need routing to be configured on them. As the other computers don't require routing, they aren't included here.

The procedure to configure these computers is the same. Repeat the following procedure for the corresponding PCs.

The Windows CLI procedure doesn't configure the DNS entries. It just adds the static routes.

To configure routing and DNS on PCs for administrator and dentists - Windows GUI:
  1. On the PC, select Start > Control Panel > Network Connections.
  2. Right click on the network connection to your local network that has a status of Connected, and select Properties.
  3. Under the General tab, from the list select TCP/IP, and Properties.
  4. Under Gateway, enter the FortiGate unit address (192.168.10.1).
  5. Enter the primary and secondary DNS server addresses from your ISP (172.11.22.33 and 172.11.22.34).
  6. Select OK.
To configure routing on PCs for administrator and dentists - Windows CLI:
  1. On the PC, select Start > Run, enter “cmd”, and select OK.
  2. At the command prompt, type:
  3. route ADD 0.0.0.0 MASK 0.0.0.0 172.100.20.5 METRIC 10

    route ADD 192.168.10.0 MASK 255.255.255.0 192.168.10.1 METRIC 5

  4. Confirm these routes have been added. Type:
  5. route PRINT

    If you don't see the two routes you added, try adding them again, while paying attention to avoid spelling mistakes.

  6. Test that you can communicate with other computers on the local network, and with the Internet. If there are no other computers on the local network, connect to the FortiGate.

Configure other PCs on the local network

The PCs on the local network without Internet access (for example, the exam room PCs) can be configured now.

As this step doesn't require any routing, details haven't been included.

Testing network configuration

There are three tests that you can run on the network to ensure proper connectivity:

  • Test that PCs on the local network can communicate
  • Test that Internet_PCs on the local network can access the Internet
  • Test that non-Internet_PCs can't access the Internet

Test that PCs on the local network can communicate

  1. Select any two PCs on the local network, such as Exam4 and Dentist3.
  2. On the Exam4 PC, at the command prompt, enter ping 192.168.10.23.
  3. The output from this command should appear similar to the following:

    Pinging 192.168.10.23 with 32 bytes of data:

    Reply from 192.168.10.23: bytes=32 time<1m TTL=255

    Reply from 192.168.10.23: bytes=32 time<1m TTL=255

    Reply from 192.168.10.23: bytes=32 time<1m TTL=255

  4. At the command prompt, enter exit to close the window.
  5. On the Dentist3 PC, at the command prompt, enter ping 192.168.10.34.
  6. The output from this command should appear similar to the following:

    Pinging 192.168.10.34 with 32 bytes of data:

    Reply from 192.168.10.34: bytes=32 time<1m TTL=255

    Reply from 192.168.10.34: bytes=32 time<1m TTL=255

    Reply from 192.168.10.34: bytes=32 time<1m TTL=255

  7. At the command prompt, enter exit to close the window.
  8. Repeat these steps for all PCs on the local network.
  9. If the output doesn't appear similar to above, there's a problem with the network configuration between these two PCs.

To test that Internet_PCs on the local network can access the Internet

The easiest way to access the Internet is with an Internet browser. However, if that doesn't work, it's best to do a traceroute to see at what point the problem is. This can help determine if it's a networking problem, such as cabling, or if it's an access problem, such as this PC not having Internet access.

  1. Select any PC on the local network that's supposed to have Internet access, such as Admin.
  2. On the Admin PC, open an Internet browser and attempt to access a website on the Internet, such as http://www.fortinet.com.
  3. If this is successful, this PC has Internet access.

  4. If step2 wasn't successful, at the command prompt on the PC, enter traceroute 22.11.22.33.
  5. The output from this command should appear similar to:

    Pinging 22.11.22.33 with 32 bytes of data:

    Reply from 22.11.22.33: bytes=32 time<1m TTL=255

    Reply from 22.11.22.33: bytes=32 time<1m TTL=255

    Reply from 22.11.22.33: bytes=32 time<1m TTL=255

Static routing example

This is an example of a typical small network configuration that uses only static routing.

This network is in a dental office that includes a number of dentists, assistants, and office staff. The size of the office isn't expected to grow significantly in the near future, and the network usage is very stable (there are no new applications being added to the network).

The users on the network are:

  • Administrative staff: Access to local patient records to perform online billing
  • Dentists: Access and update local patient records to research online from desk
  • Assistants: Access and update local patient records in exam rooms

The distinction here is mainly that only the administrative staff and dental office need access to the Internet. All other traffic is local and doesn't need to leave the local network. Routing is only required for the outbound traffic and the computers that have valid outbound traffic.

Configuring routing only on computers that need it acts as an additional layer of security by helping prevent malicious traffic from leaving the network.

Network layout and assumptions

The computers on the network are administrative staff computers, dental office computers, and dental exam room computers. While there are other devices on the local network, such as printers, they don't need Internet access or any routing.

The networked office equipment includes one PC for administrative staff, 3 PCs for dentists, and 5 PCs in the exam rooms. There's also a network printer and a router on the network.

Assumptions about these computers and network include:

  • The FortiGate is a model with interfaces labeled port1 and port2.
  • The FortiGate has been installed and is configured in NAT mode.
  • VDOMs aren't enabled.
  • The computers on the network are running MS Windows software.
  • Any hubs required in the network aren't shown in the network diagram.
  • The network administrator has access to the ISP IP addresses and is the super_admin administrator on the FortiGate.
Static routing example device names, IP addresses, and level of access

Device name

IP address

Need external access?

Router

192.168.10.1

Yes

Admin

192.168.10.11

Yes

Dentist1-3

192.168.10.21-23

Yes

Exam1-5

192.168.10.31-35

No

Printer

192.168.10.41

No

General configuration steps

The steps to configuring routing on this network are:

  1. Get your ISP information such as DNS, gateway, etc.
  2. Configure the FortiGate
  3. Configure the PCs for the administrator and dentists
  4. Testing network configuration

Get your ISP information such as DNS, gateway, etc.

Your local network connects to the Internet through your Internet Service Provider (ISP). They have IP addresses that you need to configure your network and routing.

The addresses that you need for routing are your assigned IP address, DNS servers, and the gateway.

Configure the FortiGate

The FortiGate has two interfaces in use: one connected to the internal network and one connected to the external network. Port1 is the internal interface and port2 is the external interface.

To configure the FortiGate:

  1. Configure the internal interface (port1)
  2. Configure the external interface (port2)
  3. Configure networking information
  4. Configure basic security policies
  5. Configure static routing

Configure the internal interface (port1)

To configure the internal interface (port1) - GUI:
  1. Go to Network > Interfaces. Highlight port1 and select Edit.
  2. Enter the following information:

Addressing mode

Manual

IP/Network Mask

172.100.1.1/255.255.255.0

Administrative Access

HTTPS, PING, TELNET

Description

Internal network

To configure the internal interface (port1) - CLI:

config system interface

edit port1

set IP 192.168.10.1 255.255.255.0

set allowaccess https ping telnet

set description “internal network”

next

end

Configure the external interface (port2)

The external interface connects to your ISP network. You need to know the IP addresses in their network that you should connect to. In this example, the address that the ISP gave you is 172.100.20.20, which will connect to the gateway at 172.100.20.5 on their network, and their DNS servers are 172.11.22.33 and 172.11.22.34.

To configure the internal interface (port2) - GUI:
  1. Go to Network > Interfaces. Highlight port2 and select Edit.
  2. Enter the following:

Addressing mode

Manual

IP/Network Mask

172.100.20.20/255.255.255.0

Administrative Access

HTTPS, PING, TELNET

Description

Internal network

To configure the internal interface (port2) - CLI:

configure system interface

edit port2

set IP 172.100.20.20 255.255.255.0

set allowaccess https ping telnet

set description “internal network”

next

end

Configure networking information

Networking information includes the gateway and DNS servers. A FortiGate requires a connection to the Internet for antivirus and other periodic updates.

To configure networking information - GUI:
  1. Go to Network > DNS.
  2. Enter the primary and secondary DNS addresses.
  3. Select Apply.
To configure networking information - CLI:

config system global

set dns_1 172.11.22.33

set dns_2 172.11.22.34

end

Configure basic security policies

For traffic to flow between the internal and external ports in both directions, as a minimum, two security policies are required. More can be used to further limit or direct traffic, as needed, but won't be included here.

Before configuring the security policies, a firewall address group is configured for the PCs that are allowed Internet access. This prevents a PC without Internet privileges from accessing the Internet.

The security policy assumptions are:

  • For added security, only the basic networking services are listed as allowed. Others can easily be added as users require them.
  • In this example, to keep things simple, both incoming and outgoing security policies are the same. In a real network there are applications that are allowed out but not in, and vice versa.
  • Endpoint control has been enabled to ensure that all computers on the local network are running FortiClient and those installs are up to date. This feature ensures added security on your local network without the need for the network administrator to continually bother users to update their software. The FortiGate can store an up to date copy of the FortiClient software and offer a URL to it for users to install it if they need to.
To configure security policies – GUI:
  1. Go to Policy & Objects > Addresses.
  2. Create a new Firewall Address entry for each of:
  3. PC Name

    IP Address

    Interface

    Admin

    192.168.10.11

    port1

    Dentist1

    192.168.10.21

    port1

    Dentist2

    192.168.10.22

    port1

    Dentist3

    192.168.10.23

    port1

  4. Go to Policy & Objects > Addresses.
  5. Select the dropdown arrow next to Create New and select Address Group.
  6. Name the group Internet_PCs.
  7. Add Admin, Dentist1, Dentist2, and Dentist3 as members of the group.
  8. Select OK.
  9. Go to Policy & Objects > IPv4 Policy.
  10. Select Create New.
  11. Enter the following: DH - port2(external) -> port1(internal)
  12. Incoming Interface

    port2

    Outgoing Interface

    port1

    Source

    all

    Destination

    Internet_PCs

    Schedule

    always

    Service

    Multiple.

    Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.

    Action

    ACCEPT

    Log Allowed Traffic

    Enabled

  13. Select OK.
  14. Select Create New.
  15. Enter the following:
  16. Incoming Interface

    port1

    Outgoing Interface

    port2

    Source

    Internet_PCs

    Destination

    all

    Schedule

    always

    Service

    Multiple.

    Select DHCP, DNS,FTP, HTTP, HTTPS, NTP, POP3, SMTP, SSH.

    Action

    ACCEPT

    Log Allowed Traffic

    Enabled

  17. Select OK.
To configure security policies - CLI:

config firewall address

edit "Admin"

set associated-interface "port1"

set subnet 192.168.10.11 255.255.255.255

next

edit "Dentist1"

set associated-interface "port1"

set subnet 192.168.10.21 255.255.255.255

next

edit "Dentist2"

set associated-interface "port1"

set subnet 192.168.10.22 255.255.255.255

next

edit "Dentist3"

set associated-interface "port1"

set subnet 192.168.10.23 255.255.255.255

end

config firewall addrgrp

edit Internet_PCs

set member Admin Dentist1 Dentist2 Dentist3

end

config firewall policy

edit 1

set srcintf port1

set dstintf port2

set srcaddr Internet_PCs

set dstaddr all

set action accept

set schedule always

set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"

set logtraffic enable

set label "Section2"

set endpoint-restrict-check no-av db-outdated

next

edit 2

set srcintf port2

set dstintf port1

set srcaddr all

set dstaddr Internet_PCs

set action accept

set schedule always

set service "DHCP" "DNS" "FTP" "HTTP" "HTTPS" "NTP" "POP3" "SMTP" "SSH"

set logtraffic enable

set label "Section2"

set endpoint-restrict-check no-av db-outdated

next

end

Adding FortiClient enforcement to interfaces

You can enforce the use of FortiClient on individual interfaces.

In the FortiGate GUI, select Network > Interfaces and choose an interface. Under the Admission Control heading, you can enable the Allow FortiClient Connections setting. Once you enable this setting, two more options become visible: Discover Clients (Broadcast) and FortiClient Enforcement. When you enable FortiClient enforcement, you enforce that in order for incoming traffic to pass through that interface, it must be initiated by a device running FortiClient.

Once you enforce the use of FortiClient on the interface, you should also configure FortiClient profiles for the incoming connections. You can also set up any exemptions that are needed. Just below the FortiClient Enforcement option are fields for Exempt Sources and Exempt Destinations/Services. These can be selected from address or services objects already configured on the FortiGate.

In the CLI, use the following commands:

config system interface

edit port1

set listen-forticlient-connection [enable|disable]

set endpoint-compliance [enable|disable]

next

end

Configure static routing

With the rest of the FortiGate configured, static routing is the last step before moving on to the rest of the local network. All traffic on the local network will be routed according to this static routing entry.

To configure Fortinet static routing - GUI:
  1. Go to Network > Static Routes.
  2. Select the top route on the page and then select Edit.
  3. Enter the following information:
  4. Destination

    172.100.20.5

    Interface

    port2

    Gateway Address

    172.100.20.5

    Administrative Distance

    10

  5. Select OK.
To configure Fortinet unit static routing - CLI:

configure routing static

edit 1

set gateway 172.100.20.5

set distance 10

set device port2

set dst 0.0.0.0

next

end

Configure the PCs for the administrator and dentists

After the router is configured, we need to configure the computers that require Internet access. These computers need routing to be configured on them. As the other computers don't require routing, they aren't included here.

The procedure to configure these computers is the same. Repeat the following procedure for the corresponding PCs.

The Windows CLI procedure doesn't configure the DNS entries. It just adds the static routes.

To configure routing and DNS on PCs for administrator and dentists - Windows GUI:
  1. On the PC, select Start > Control Panel > Network Connections.
  2. Right click on the network connection to your local network that has a status of Connected, and select Properties.
  3. Under the General tab, from the list select TCP/IP, and Properties.
  4. Under Gateway, enter the FortiGate unit address (192.168.10.1).
  5. Enter the primary and secondary DNS server addresses from your ISP (172.11.22.33 and 172.11.22.34).
  6. Select OK.
To configure routing on PCs for administrator and dentists - Windows CLI:
  1. On the PC, select Start > Run, enter “cmd”, and select OK.
  2. At the command prompt, type:
  3. route ADD 0.0.0.0 MASK 0.0.0.0 172.100.20.5 METRIC 10

    route ADD 192.168.10.0 MASK 255.255.255.0 192.168.10.1 METRIC 5

  4. Confirm these routes have been added. Type:
  5. route PRINT

    If you don't see the two routes you added, try adding them again, while paying attention to avoid spelling mistakes.

  6. Test that you can communicate with other computers on the local network, and with the Internet. If there are no other computers on the local network, connect to the FortiGate.

Configure other PCs on the local network

The PCs on the local network without Internet access (for example, the exam room PCs) can be configured now.

As this step doesn't require any routing, details haven't been included.

Testing network configuration

There are three tests that you can run on the network to ensure proper connectivity:

  • Test that PCs on the local network can communicate
  • Test that Internet_PCs on the local network can access the Internet
  • Test that non-Internet_PCs can't access the Internet

Test that PCs on the local network can communicate

  1. Select any two PCs on the local network, such as Exam4 and Dentist3.
  2. On the Exam4 PC, at the command prompt, enter ping 192.168.10.23.
  3. The output from this command should appear similar to the following:

    Pinging 192.168.10.23 with 32 bytes of data:

    Reply from 192.168.10.23: bytes=32 time<1m TTL=255

    Reply from 192.168.10.23: bytes=32 time<1m TTL=255

    Reply from 192.168.10.23: bytes=32 time<1m TTL=255

  4. At the command prompt, enter exit to close the window.
  5. On the Dentist3 PC, at the command prompt, enter ping 192.168.10.34.
  6. The output from this command should appear similar to the following:

    Pinging 192.168.10.34 with 32 bytes of data:

    Reply from 192.168.10.34: bytes=32 time<1m TTL=255

    Reply from 192.168.10.34: bytes=32 time<1m TTL=255

    Reply from 192.168.10.34: bytes=32 time<1m TTL=255

  7. At the command prompt, enter exit to close the window.
  8. Repeat these steps for all PCs on the local network.
  9. If the output doesn't appear similar to above, there's a problem with the network configuration between these two PCs.

To test that Internet_PCs on the local network can access the Internet

The easiest way to access the Internet is with an Internet browser. However, if that doesn't work, it's best to do a traceroute to see at what point the problem is. This can help determine if it's a networking problem, such as cabling, or if it's an access problem, such as this PC not having Internet access.

  1. Select any PC on the local network that's supposed to have Internet access, such as Admin.
  2. On the Admin PC, open an Internet browser and attempt to access a website on the Internet, such as http://www.fortinet.com.
  3. If this is successful, this PC has Internet access.

  4. If step2 wasn't successful, at the command prompt on the PC, enter traceroute 22.11.22.33.
  5. The output from this command should appear similar to:

    Pinging 22.11.22.33 with 32 bytes of data:

    Reply from 22.11.22.33: bytes=32 time<1m TTL=255

    Reply from 22.11.22.33: bytes=32 time<1m TTL=255

    Reply from 22.11.22.33: bytes=32 time<1m TTL=255