Technical Tip: Hairpin NAT over SSL VPN
Description
This article describes how to access internal resources over SSL VPN via external IP address.
The following high level diagram illustrates the scenario:
Scope
Fortigate.
Solution
Site A network connects to SSL VPN to access remote resources (Site B network), however, Site A users do not know the exact private IP addresses of the remote resources.
Hairpin NAT can be used here to help access the Site B network via its public IP address.
Here is the step-by-step guide:
- Create a VIP rule:
config firewall vip
edit "VIP"
set extip 180.120.131.78
set extinf "wan1"
set mappedip 192.168.10.1
next
end
- The VIP rule can be added to the SSL VPN policy if only the related SSL VPN portal is in tunnel mode. Therefore, the web mode should be disabled.
- Create a policy from SSL VPN to WAN1 with the public IP address of WAN1 as a destination:
config firewall policy
edit 1
set srcintf "ssl.root"
set dstintf "WAN1"
set srcaddr “SSLVPN_TUNNEL_ADDR1”
set dstaddr "IP-180.120.131.78"
set action accept
set schedule "always"
set service "ALL"
set group "ssl_vpn_user_group"
next
end
- Create a policy from SSL VPN to Internal with the VIP rule as a destination:
config firewall policy
edit 2
set srcintf "Wan1"
set dstintf "Internal"
set srcaddr “SSLVPN_TUNNEL_ADDR1”
set dstaddr "VIP"
set action accept
set schedule "always"
set service "ALL"
next
end
The goal is to send the SSL VPN traffic to the internet and then redirect it from the internet back to the FortiGate.
Note: SSL VPN tunnel mode is deprecated from FortiOS version 7.6.3 and above. For more information, refer to Technical Tip: Changes on SSL VPN modes starting from v7.6.3.