Created on
‎10-14-2014
07:39 AM
Edited on
‎08-21-2024
12:09 AM
By
Jean-Philippe_P
Description
This article describes how to configure SSL VPN with overlapping subnets.
There will be connectivity issues when the remote network subnet (192.168.0.0/24) (for example, the home Wifi network) clashes with the local network subnet connected to FortiGate (192.168.0.0/24) which needs to be accessed by an SSL VPN user.
Scope
FortiGate.
Solution
To resolve the subnet overlapping issue, follow the steps below:
- Create a virtual IP object to map Virtual_Subnet to the Internal LAN subnet. Go to Policy & Object -> Virtual IPs, and select Create New -> Virtual IP. VIP Internal IP range will be behind FortiGate, VIP external IP range can be any IP address that is not overlapping, and external IP will be used for future access for Internal IP service, For example, after connecting SSL VPN and accessing Internal resource 192.168.0.2 for RDP service, user need to use IP 172.16.0.2 instead of 192.168.0.2
Name: SSLVPN_VIP
Interface: ssl.root
Type: Static NAT
External IP Address/Range: 172.16.0.1 - 172.16.0.254
Mapped IP Address/Range: 192.168.0.1 - 192.168.0.254
 
- The separated user group, SSL VPN portal, and SSL VPN policy are created to avoid the change impacting all the other SSL VPN users. Move the SSL VPN user to the new user group with the private network overlapping with the local private network.
- Create the SSL VPN portal for the users with overlapping:
- Add Authentication/Portal Mapping:
- Create a firewall policy for SSL VPN users to access the virtual subnet (Policy & Objects -> IPv4 Policy and select 'Create New').
Name: SSLVPN-to-Internal
Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: SSLVPN_VIP
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable
Select 'OK' to save and move this policy to the top.
- Test by connecting an endpoint to SSL VPN and make a test attempt to reach a host in the internal network (for example, 192.168.0.2) by performing a ping to 172.16.0.2.
For setup with Central SNAT enabled: Follow step 1 for the VIP setup, but for the firewall policy configuration, configure the following:
Name: SSLVPN-to-Internal
Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: Server_Real_Subnet (i.e. 192.168.0.0/24)
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable
Follow step 3 for the testing process.