Skip to main content
cashbuddy
cashbuddy
New Member
July 4, 2018
Question

Full access and RDP only access on FortiGate 200E

  • July 4, 2018
  • 1 reply
  • 22480 views

Hi Guys,

 

We need to create two profiles for Remote VPN access on Fortigate 

 

FULL access:

Laptop users have all ports open to LAN (for RDP/SMB/HTTP(s) traffic to servers) and uses UTM-10.20.1.254 as a gateway 

the problem is when i configured VPN profile there was no way to assign gateway, how i can do this?

At the moment laptop gets 10.20.3.2 and his gateway is 10.20.3.3

 

RDP access:

Users has only access to their workstations in the office. This is somehow already sorted by allowing only RDP and DNS in the Remote to Local policy

No gateway to be assigned, currently it automatically assign 10.20.3.3 

 

Please see attached diagram

 

Kind Regards

    1 reply

    AKDetewe
    AKDetewe
    New Member
    July 5, 2018

    Do you use SSLVPN or IPSec VPN for Remote Access ?

     

    cashbuddy
    cashbuddyAuthor
    New Member
    July 5, 2018

    I use IPSEC VPN Route-based configuration:

     

    config vpn ipsec phase1-interface edit "Full" set type dynamic set interface "wan" set mode aggressive set peertype any set mode-cfg enable set comments "VPN: Full (Created by VPN wizard)" set wizard-type dialup-forticlient set xauthtype auto set authusrgrp "VPN users" set ipv4-start-ip 10.20.3.0 set ipv4-end-ip 10.20.3.250 set dns-mode auto set save-password enable set psksecret ENC **removed** next end

     

    In the policy "FULL -> Internal" is allowed on all protocols and vice versa.

    This way laptop has full access to local network and even can connect to the internet after configuring proxy settings. 

     

    this is IP configuration from windows client:

     

    Ethernet adapter Ethernet 2:

    Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30) Physical Address. . . . . . . . . : 00-09-0F-FE-00-01 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1143:fdc3:7b21:8a2f%8(Preferred) IPv4 Address. . . . . . . . . . . : 10.20.3.200(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Lease Obtained. . . . . . . . . . : 05 July 2018 12:11:32 Lease Expires . . . . . . . . . . : 11 August 2154 20:56:32 Default Gateway . . . . . . . . . : 10.20.3.201 DHCP Server . . . . . . . . . . . : 10.20.3.201 DHCPv6 IAID . . . . . . . . . . . : 671090959 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-17-67-CE-78-2B-CB-7A-82-2D DNS Servers . . . . . . . . . . . : 10.20.1.18 10.20.1.12 NetBIOS over Tcpip. . . . . . . . : Enabled

     

     

    Is there a way to assign gateway in phase1 or phase2 configuration?

    Checked all cli options but none of them seems to do what i want

     

    i partially resolved the issue by adding a static route to another internal network:

     

    config router static edit 2 set status enable set dst 192.168.100.0 255.255.255.0 set gateway 10.20.1.254 set distance 10 set weight 0 set priority 0 set device "internal" set comment '' set blackhole disable set dynamic-gateway disable set virtual-wan-link disable set link-monitor-exempt disable next end

     

    but ideally i would like the fortigate to assign 10.20.1.254 as default gateway not the IP incremented by 1 

     

    AKDetewe
    AKDetewe
    New Member
    July 5, 2018

    config vpn ipsec phase1-interface

     

    edit "Full"

     

    use "get" to see all possible entries.

     

    set default-gw 10.20.1.254

    end

     

    Regards

    Andreas

    Terms & ConditionsCookie settingsAccessibility statement