Skip to main content
eberrick
eberrick
New Member
March 2, 2020
Solved

no VPN access to subnetwork in LAN

  • March 2, 2020
  • 1 reply
  • 8934 views

Hi Guys,

 

I am Ernest and new to Fortigate.

 

I have two LANs in my network ( 192.168.0.0/16  and 172.20.0.0/16)   

 

There is routing defined in the core between these two LANs which allows access to services and applications on either side .

 

My Fortigate Firewall however is directly connected to an interface on the 192.168.0.0 network .

 

I have configured on the FG Firewall  ssl vpn access to the network , my problem however is that I am unable to reach the 172.20.0.0 network over the SSL VPN Connection.

 

I would really appreciate your input as to how to resolve this.

 

Thanks.

    Best answer by eberrick

    Hi Shawn,

     

    The connection now works after restarting the box. A bit strange it took a reboot to take effect but its working now.

     

    Your advice has been eye-opening and I am grateful for the support.

     

    Thanks.

    1 reply

    ShawnZA
    ShawnZA
    New Member
    March 2, 2020

    Are you using split tunneling for the VPN?

    If yes did you also define the 172.20.0.0/16 in there to route for VPN clients?

    And did you also add it to the firewall policy to allow your VPN traffic to both 192.168.0.0/16 and 172.20.0.0/16?

     

     

    eberrick
    eberrickAuthor
    New Member
    March 2, 2020

    Hi Shawn,

     

    Thanks for the response. 

     

    I have enabled split tunneling, Also I created a static route via the LAN interface to the 172.20.0.0 network

     

     

    and created a policy allowing SSL VPN access to both networks.

     

    I am however only able to reach the 192.168.0.0..

     

    I do not want to create another ptp link just for access to the second lan but that may be the last resort.

    ShawnZA
    ShawnZA
    New Member
    March 2, 2020

    Did you define 172.20.0.0/16 in the Split Tunneling routing addresses?

    If you look a the screenshot, do you have both 192.168.0.0/16 and 172.20.0.0/16 in there as routing addresses?

     

    And can you browse the internet from the 172.20 network? If you only added a static route in to that network now I take it internet was never accessible from that range.

     

    Can you ping your firewall internal lan IP from a device in that range?

     

     

    Terms & ConditionsAccessibility statement