SSL VPN based on VIP address

Hello and welcome,

ORIGINAL: [v3]shinn Does anyone know whether ssl vpn can use on vip instead of wan interface ip ? =.=???

?? what' s exactly you try to solve?

?? what' s exactly you try to solve?

Hi Thanks..Recently start to setup fortinet product. :) Actually, i have 6 public ip addresses. One ip already assigned for WAN1. And i would like to use 2nd ip for sslvpn, so i try to create a VIP for it. Example scenario Services have static NAT to other server. For below is just a simple test case that i have done. And i try to test out whether VIP can use for sslvpn with PAT. 443 = https 10443 = sslvpn wan1 = 10.1.1.1/32 (public ip assigned by isp through pppoe) VIP (https) = 10.1.1.1 --> 172.16.1.1 443-->443 VIP (sslvpn) = 10.1.1.2 --> 172.16.1.2 443-->10443 Ok, some reason for second VIP, i m not able to use 443 again for the 10.1.1.2 so i try to use back 443 but map to 10443. This is because client site blocked 10443. In order to use sslvpn, so i try to use 2nd public ip and port 443 map to 10443. This is what i was trying to ask earlier that ssl vpn can use on vip ??? Becoz from my test case, i have failed. Login from client pc https://10.1.1.1:10443 [successful], but when try on https://10.1.1.2:443 [failed] May be i have to play around in firewall policy ? Or some other setting i missed out for VIP? i couldn' t find any detail or guide regarding this from fortinet knowledge base. Should i say VIP is for NATing, and NATing couldn' t use on sslvpn for tunneling, am i right? Any advice from you? Thanks

humm.. that will not work; your FTG device is the sslvpn tunnel' s end. If your main concern is use different ports numbers for administrative access to the unit, just change it according your needs; under System->Admin->Settings you can adjust your https port to release 443 for example for another uses; assign another number to ssl vpn port and so on. regards

Hi abelio, It is not a concern for administrative access. Yes, true, that sure can work with changing the sslvpn port. I even disable the https (443) in the [admin-->setting] for the testing. Customer would like to use 2nd public ip port 443 for sslvpn, and remain the 1st public ip with port 443 for https service.

Try this: Set FortiGate admin SSLVPN to 443 Set FortiGate admin HTTPS to 10443 (or something else) Public IP assigned to WAN1 used for SSL-VPN. Create VIP with External Interface WAN1, external IP is 2nd public IP, mapped to public IP address of FortiGate WAN1 interface, external port 443 mapped to port 10443..I have advised the customer to change the port. Create Firewall rule from WAN1/any to WAN1/VIP.

Hi jmac, Yes, i have tried too. But some weird thing happened. I able to access to the sslvpn web page (https://10.1.1.2), but i tried to login with a correct username&password, but failed to login with error msg " Permission denied" I even created VIP 2nd public IP mapped to internal interface, external port 443 mapped to port 10443. But still failed. What i m thinking is the sslvpn have to tight to the physical interface WAN1 but not VIP...I' m not so sure..need ask expert .. Regards

If you want another (v)IP for the SSL-VPN or more than one SSL-VPN' s on multiple IP' s, then you can use VDOMs for that and create a VIP to redirect ext IP to interVDOM links. Cheers, Eric

i actually opened a ticket i while ago, with this issue, and the they said the only way to do this is to enable the overlap-subnet command, and then assign the public ip as a secondary ip on the interface. Here is a output from that ticket: ------------------------------------ Thanks for the update. As per my understanding on your scenario, I have tried below scenario in my lab, FortiGate' s Wan1 - 192.168.140.207/23 internal IP -10.129.0.207/23 Created a VIP on the FortiGate with external IP 192.168.0.207:443 to Webserver with local IP 10.129.0.204:443 Assigned a secondary IP on WAN1 as 192.168.140.188/23 after enabling subnet-override as below, #config system settings #set allow-subnet-overlap enable. #end Changed the HTTPS port to 442 and SSLVPN Login Port to 443 in Admin -Settings Result: I am able to access ssl vpn on http://192.168.140.188 and web sever on https://192.168.140.207 and FortiGate on https://192.168.140.207:442 Please check and let me know if above example meet your requirement. As requested earlier, please provide me config file of the FortiGate in case of any further assistance.

I would fire the SE that advices this. Allow overlapping subnets removes the statefull inspection of a firewall and that is not what anybody wants. It also allows asymmetric routing. NEVER ever goes this way. Regards, Eric

im sure he was First-line of support

But i logged a case for this as well.. that support just told me that , sslvpn need to tight to the access interface which is whether wan1 or wan2 interface.