Skip to main content
hillsitsupp
hillsitsupp
Explorer
January 15, 2024
Solved

SSLVPN natting traffic to resource behind 2nd Fortigate

  • January 15, 2024
  • 4 replies
  • 2671 views

Hi

 

We have a SSLVPN Web portal on one Fortigate. When using it to get to resources behind a tunnel on another Fortigate, it seems to NAT the traffic despite the policy having NAT turned off.

 

Fortinat.png

 

FG2 sees the source address of traffic to AWS being 192.168.1.1 instead of 10.10.1.1

 

Can anyone explain what's going on here?

Best answer by hillsitsupp

Edited:

 

Looks like this is expected behavior for web SSLVPN.

 

"The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy."

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-used-by-FortiGate-to-access-resources/ta-p/193615?externalID=FD36530

 

Thanks for taking a look for me.

4 replies

AEK
SuperUser
AEK
SuperUser
January 15, 2024

Hi

Are you using Central SNAT on FG1?

AEK
    hillsitsupp
    hillsitsuppAuthor
    Explorer
    January 15, 2024

    No, central NAT is disabled.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    January 15, 2024

    If you're not using Central NAT as @AEK is asking, please share us the policy config at the FG1:
        ssl.root -> FG1's internal interface that has 192.168.1.1

    in CLI. You need to get in "config firewall policy" then find the policy's ID "edit x", then "show".

     

    Toshi

      hillsitsupp
      hillsitsuppAuthorAnswer
      Explorer
      January 15, 2024

      Edited:

       

      Looks like this is expected behavior for web SSLVPN.

       

      "The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy."

       

      https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-used-by-FortiGate-to-access-resources/ta-p/193615?externalID=FD36530

       

      Thanks for taking a look for me.

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        January 15, 2024

        Yes, "web mode" traffic is basically initiated by the FGT. And that's why the other mode with FortiClient is called "tunnel mode".

        Toshi

          smayank
          Staff
          smayank
          Staff
          January 16, 2024

          Hello 

          This is the expected behaviour of SSL VPN Web mode. First user connect with firewall and when traffic goes to LAN it takes LAN interface IP address in source.

          Thanks & Regards
          Mayank Sharma

            NunoLour
            NunoLour
            New Member
            January 16, 2024

            .

            Terms & ConditionsAccessibility statement