Description

This article describes how to access internal resources over SSL VPN via external IP address.

The following high level diagram illustrates the scenario:

Solution

Site A network connects to SSL VPN to access remote resources (Site B network), however, Site A users do not know the exact private IP addresses of the remote resources.

Hairpin NAT can be used here to help access the Site B network via its public IP address.

Here is the step-by-step guide:

1. Create a VIP rule:
   
   config firewall vip
       edit "VIP"
           set extip 180.120.131.78
           set extinf "wan1"
           set mappedip 192.168.10.1
       next
   end
   
   
2. The VIP rule can be added to the SSL VPN policy if only the related SSL VPN portal is in tunnel mode. Therefore, the web mode should be disabled.
3. Create a policy from SSL VPN to WAN1 with the public IP address of WAN1 as a destination:
   
   config firewall policy
       edit 1
           set srcintf "ssl.root"
           set dstintf "WAN1"
           set srcaddr “SSLVPN-grp”
           set dstaddr "IP-180.120.131.78"
           set action accept
           set schedule "always"
           set service "ALL"
           set group "ssl_vpn_user_group"
       next
   end
   
   
4. Create a policy from SSL VPN to Internal with the VIP rule as a destination:
   
   config firewall policy
       edit 2
           set srcintf "Wan1"
           set dstintf "Internal"
           set srcaddr “SSLVPN-grp”
           set dstaddr "VIP"
           set action accept
           set schedule "always"
           set service "ALL"
       next
   end

The goal is to send the SSL VPN traffic to the internet and then redirect it from the internet back to the FortiGate.