New Member

Question

Change IP that SSL VPN service listens on

Forum|Forum|11 years ago
July 25, 2014
7 replies
27382 views

Is it possible to change the IP that the SSL VPN service responds to requests on? For example, I have a /28 block of IP' s from my ISP and I want the WAN interface to be .2 and the SSL VPN login page to be .3

ede_pfau

SuperUser

hi, and welcome to the forums! There is no setting for specifying the IP directly. Instead, you could try to use a VIP with port mapping: Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: say, 20443 mapped to : your primary WAN IP mapped to port: 10443 (default for SSL VPN) Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: custom service for tcp/20443 schedule: ... action: accept NAT: no Give it a try and let us know how it works.

mark14

New Member

Summarizing for this moment there is one solution?

ede_pfau wrote:
hi, and welcome to the forums! There is no setting for specifying the IP directly. Instead, you could try to use a VIP with port mapping: Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: say, 20443 mapped to : your primary WAN IP mapped to port: 10443 (default for SSL VPN) Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: custom service for tcp/20443 schedule: ... action: accept NAT: no Give it a try and let us know how it works.

Michael_BoskovicAuthor

New Member

Thanks for the reply! I tried the fix you recommended and everything seemed to work. Not the ideal solution I was hoping for, but serves as a valid alternative. Thanks for the help!

ede_pfau

SuperUser

Using a VIP for an additional public IP address is perfectly valid. The FGT will even respond to ARP requests for it just as if it was a " physical" address. Furthermore, the mapped-to address is " masked" , that is for incoming traffic the destination is NATted and for return traffic the source IP is NATted. Glad that it works for you now. Enjoy!

FatalHalt

New Member

I' m actually looking to do this same thing right now. Doing the VIP should work great for my purposes, however by doing that, wouldn' t the ' normal settings' of https//primarywan:10443 still serve to access the VPN? What I' d like to do is change the IP, using a VIP in this case is fine, but then not allow the normal settings to work. Am I thinking about this right?

ede_pfau

SuperUser

Right, a VIP opens just another IP+port access. You could block access to the original IP+port via a Local In policy I guess.

FatalHalt

New Member

Just played around with this, and the local deny policy worked great. A VIP worked, but I also tried using a secondary wan1 IP, which worked as well, not sure which one I like more though.

ede_pfau

SuperUser

I' d go with a VIP anytime. First, it' s much more visible, and secondly, you can narrow it down to just 1 port. But it' s your choice...

lobstercreed

New Member

Super old thread, I know, but it was referenced in a more recent post and I wanted to make sure y'all knew that you can actually set up a loopback interface to accomplish this.

[ul]

Create a loopback with some private IP address and then set the SSL-VPN to listen only on the loopback interface.

Then create the VIP to point to the private IP on the loopback.

Lastly create a policy from your WAN to your loopback for HTTPS.[/ul]

Boom, you have what you did here but without it listening on your actual public interface. I did this years ago myself actually to solve the problem of having more than one ISP but wanting a consistent VPN address (using BGP peering for my ISPs).

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded