Contributor

Question

DNS issue in SSL vpn

Forum|Forum|17 years ago
October 6, 2008
6 replies
59335 views

Dear All, Iâ€™m new with this forum; we have a slight issue with our ssl vpn. We are using FGT60B with MR7 patch. I have given a tunnel range ip address like 192.168.1.10-50 Also enabled split tunneling (192.168.1.5-15) The firewall policies which we given Internal_to_WAN2, and the source and destination is all The service is any and the action is accept -------------- WAN2 _to_Inernal Source and destination is all Service is any And action is SSL vpn ------------------ One more rule is there from the same interface (WAN2_to_Internal) Source and destination all Action is accept Service is any --- The ssl users are authenticating locally. When try to web only access, I can access my entire internal network but it is not resolving dns ( e.g if I want to access my server http://spheread.ae., its not working, If I type the ip address, then only its working) The second issue if I activate the tunnel mode I cannot access anything both internet and the remote site also Iâ€™m struggling with this issue past one week, I tried lot of troubleshoot, but unfortunately nothing work. Please help me!

A

Anonymous_UserAuthor

Contributor

OK, 1) First of all for DNS issues: Add your local DNS Server Addresses in VPN --> SSL --> Advanced --> DNS Server#1 and DNS Server#2 (if you have a secondary DNS Server) (This should be the IP address of your internal DNS Server which is responsible for resolving the host names to their LAN IPs. In typical Active Directory scenario, your Domain Controller will be your internal DNS Server.) 2) When you activate tunnel mode, a new virtual connection is created in your network connections (on client side) with the name " fortissl" . Go to the Properties of that connection and then further go to TCP/IP Properties. Click on Advanced and make sure that " Use default gateway on remote network" is unchecked. Click on OK and OK again and close the connection properties. Now, connect to the tunnel again and the problem should be resolved.

rwpatterson

New Member

In the FortiSSL adapter, you may need to add you local domain name as well.

MontanaMike

New Member

ORIGINAL: rwpatterson In the FortiSSL adapter, you may need to add you local domain name as well.

Is there anyway to force that from the firewall? I' ve been running to that recently as we migrate from a Cisco 3005 to the Fortigate. Users are expecting to type stuff like http://host/ and have the system apend the domain name to the request. It worked that way in the Cisco but so far, not in the Fortigate.

A

Anonymous_UserAuthor

Contributor

Thanks guys, I tried all the ways, but unfortunately its not working, also I updated to the latest frimware MR7 730, but the DNS and tunnel mode issue didnt solved yet. is there any way to map the dns to the FG directly-like act the FG box as a sub dns or something like that.?

A

Anonymous_UserAuthor

Contributor

this issue has been resolved, there was a problem with the dns ovrride' ' on the wan interface. Now its working fine. Thank you,

MontanaMike

New Member

ORIGINAL: muhammed sathar this issue has been resolved, there was a problem with the dns ovrride' ' on the wan interface. Now its working fine. Thank you,

where is that setting at?

A

Anonymous_UserAuthor

Contributor

If you check the wan interface settings u can find there two options 1-retrieve DG from server and 2- dns override..so what i did, just unchecked this option and dns issue resolved, but still i have some other probs with tunnel mode... when i enabled the tunnel mode, i cannot access anything. but from the ssl web page i can ping and reach to the remote network.. can you pls look at this and pls correct me if i miss anything over here:- --- internal IP range :192.168.1.0/24 tunnel range : 192.168.1.240-250 restricted tunnel range ip : 192.168.1.240-250 the internet is directly connected to the FGT(ppoe). firewall rules: internal to wan1 source ip and dest ip : all action : any ---- internal to ssl.root source ip and dest ip : all action : any ---- ssl.root to itnernal source ip and dest ip : all action : any ------ wan1 to internal source ip : all and dest ip : internal range (192.168.1.0) action : SSL ---- wan1 to internal source ip and dest ip : all action : any ---- I guess it should be work with this. OR the way i configured is wrong? please help me...

rwpatterson

New Member

The internal IP range and the SSL VPN IP range are the same. You cannot route to the same IP subnet over two different interfaces. Change the tunnel range to 192.168.2.x/24. Web mode goes from the FGT itself, so it will work fine.

A

Anonymous_UserAuthor

Contributor

i' m sorry that i have tried this option before i change to this...anyway i have changed again to as you told, but even its not working. i guess there is some thing related with the ppoe or dyndns. the internet connection directly connected to fgt and its dsl connection, thats y i dyndns the wan interface.

A

Anonymous_UserAuthor

Contributor

Good news!... its working fine...i guess it coz of the firmware..it worked automatic and i ddnt make any changes.. Thank You,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded