FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
welnaggar
Staff
Staff
Description
This article describes how to access internal resources over SSLVPN via external IP address.

The following high level diagram illustrates the scenario:


Solution
Site A network connects to SSL VPN to access remote resources (Site B network), however, Site A users don't know the exact private IP addresses of the remote resources.

Hairpin NAT can be used here to help accessing Site B network via its public IP address.

Here is the step by step guide:

1) Create a VIP rule
#config firewall vip
     edit "VIP"
         set extip 180.120.131.78
         set extinf "wan1"
         set mappedip 192.168.10.1
    next
end
2) The VIP rule can be added to the SSLVPN policy if only the related SSLVPN portal is in tunnel mode. Therefore, the web mode should be disabled.
 
3) Create a policy from SSLVPN to WAN1 with the public IP address of WAN1 as a destination

#config firewall policy
    edit 1
           set srcintf  "ssl.root"
           set dstintf  "WAN1"
           set srcaddr  “SSLVPN-grp”
           set dstaddr  "IP-180.120.131.78"
           set action accept
           set schedule "always"
           set service "ALL"
  next
4) Create a policy from SSLVPN to Internal with the VIP rule as a destination
#config firewall policy
    edit 2
           set srcintf  "ssl.root"
           set dstintf  "Internal"
           set srcaddr  “SSLVPN-grp”
           set dstaddr  "VIP"
           set action accept
           set schedule "always"
           set service "ALL"
  next
end

Contributors