Ping Problem after SSL VPN Connection

hi which firmware version are you using? How do your policies look like? I would guess you' re missing a policy from the ssl.root to the desired interface and subnet

Hello Team firmware version : Fortigate-60B 3.00-b0 744(MR7 Patch6) policies look : 1/ external -->internal action SSL-VPN All --->LAN 2/ssl.root ---->port 1 external all--->all accept 3/ ssl.root ---->port2 external accept PLZ have you demonstration with pictures to all steps in fortigate Thank you very much

Hello Team just please verify with me this problem when i do ipconfig /all i have ansewer but gateway is wrong is the same like my ipadress so i can not ping PLease can you verify with me Thank you

Try changing your static route and use the destination as your ssl-vpn IP range and the gateway set to ssl.root The IP you are given will be the same as your gateway i.e. Say the range was configured 10.254.254.0/24 You connect to the VPN, you are given 10.254.254.1 as your address and this is also set as your gateway. You then attempt your ping, which is allowed using the following policies: External (Internet) -> ssl.root ACTION = SSL-VPN Service = ANY (also ensure you respective users/groups are defined in this policy) ssl.root -> Internal ACTION = ACCEPT Service = Any (change this once you have it working to ICMP_ANY or ECHO, etc) Now if you attempt to PING an Internal node it should work. Routing: i.e. internal 192.168.2.2 ping 192.168.2.2 With you being connected to the VPN, and your default gatetway being 10.254.254.1 the traffic will be forwarded to this interface. With your destination being set to the range 10.254.254.0/24 - gateway ssl.root, your policy ssl.root -> internal - ACCEPT - ANY should see these packets routed to the internal network. Providing the internal node does not have a firewall enabled, and routing is configured correctly you will get your reply? Hope this helps?

Hello Team I' m so sorry because i test with this configuration but allways the same problem This a part of my ipconfig /all Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethern et Physical Address. . . . . . . . . : X-X-X-X-X-X Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.5.183 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.5.1 DNS Servers . . . . . . . . . . . : 192.168.5.1 Ethernet adapter Local Area Connection 3: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Fortinet virtual adapter Physical Address. . . . . . . . . : X-X-X-X-X-X PPP adapter fortissl: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : X-X-X-X-X-X Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.185.200.235 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 10.185.200.235 DNS Servers . . . . . . . . . . . : 10.185.200.3 10.185.200.4 Primary WINS Server . . . . . . . : 10.185.200.4 Secondary WINS Server . . . . . . : 10.185.200.3 My IP range 10.185.200.235 ---->10.185.200.239 Please can you explain to me what i put in the part of static route destination IP/Mask : .................. Devise : ssl.root gatway 0.0.0.0 --->all time recieved bytes is 139 Thank you

you should use a different IP range from your internal range!

Agree with Eric here... Why don' t you split up your ranges properly i.e. have a dedicated properly configured subnet for you ssl-vpn IP range. If you don' t have these defined correctly the routing will get screwed up. In my test lab (just setup) I have the following: Internal = 192.168.2.0/24 ssl-vpn ip range = 10.185.200.0/24 Policies External -> ssl.root ACTION = SSLVPN SERVICE = ANY ssl.root -> Internal ACTION = SSLVPN SERVICE = ANY When I connect to the VPN I get allocated IP 10.185.200.1 GATEWAY 10.185.200.1 (All good so far) I then initiate a PING from my host, I watch the traffic pass through the firewall. My host is configured correctly, I am allowing PING, etc to the machine and the machines gateway is 192.168.2.1 which is an interface defined on my Fortigate in my test lab, so the machine has a route back to the external host. Looks like your IP addressing needs to be tidied up and your route for the destination network needs to be c onfigured correctly. In my example above the configuration would be: DESTINATION: 10.185.200.0/24 DEVICE: ssl.root GATEWAY: 0.0.0.0 (default) DISTANCE: 10 (default) Hope this helps?

sorry that was a typo, I had it correct earlier on in the thread!

Also, refer to this KB article http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=12948&sliceId=1&docTypeID=DT_KCARTICLE_1_1 Policies are slightly different in the KB article, as compared to what I have defined. I have only tested the policies I have defined earlier in the thread.