Description
This article describes how to access internal resources over SSLVPN via external IP address.
The following high level diagram illustrates the scenario:
Solution
Site A network connects to SSL VPN to access remote resources (Site B network), however, Site A users don't know the exact private IP addresses of the remote resources.
Hairpin NAT can be used here to help accessing Site B network via its public IP address.
Here is the step by step guide:
1) Create a VIP rule
3) Create a policy from SSLVPN to WAN1 with the public IP address of WAN1 as a destination
This article describes how to access internal resources over SSLVPN via external IP address.
The following high level diagram illustrates the scenario:
Solution
Site A network connects to SSL VPN to access remote resources (Site B network), however, Site A users don't know the exact private IP addresses of the remote resources.
Hairpin NAT can be used here to help accessing Site B network via its public IP address.
Here is the step by step guide:
1) Create a VIP rule
#config firewall vip2) The VIP rule can be added to the SSLVPN policy if only the related SSLVPN portal is in tunnel mode. Therefore, the web mode should be disabled.
edit "VIP"
set extip 180.120.131.78
set extinf "wan1"
set mappedip 192.168.10.1
next
end
3) Create a policy from SSLVPN to WAN1 with the public IP address of WAN1 as a destination
#config firewall policy4) Create a policy from SSLVPN to Internal with the VIP rule as a destination
edit 1
set srcintf "ssl.root"
set dstintf "WAN1"
set srcaddr “SSLVPN-grp”
set dstaddr "IP-180.120.131.78"
set action accept
set schedule "always"
set service "ALL"
next
#config firewall policy
edit 2
set srcintf "ssl.root"
set dstintf "Internal"
set srcaddr “SSLVPN-grp”
set dstaddr "VIP"
set action accept
set schedule "always"
set service "ALL"
next
end
