Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jkoay
Staff
Staff

Created on ‎10-14-2014 07:39 AM Edited on ‎08-21-2024 12:09 AM By Moderator

Article Id 189886

Troubleshooting Tip: SSL VPN with overlapping subnets

Description

 

This article describes how to configure SSL VPN with overlapping subnets.

There will be connectivity issues when the remote network subnet (192.168.0.0/24) (for example, the home Wifi network) clashes with the local network subnet connected to FortiGate (192.168.0.0/24) which needs to be accessed by an SSL VPN user.

 

Scope

 

FortiGate.

 

Solution

 

To resolve the subnet overlapping issue, follow the steps below:

 

  1. Create a virtual IP object to map Virtual_Subnet to the Internal LAN subnet. Go to Policy & Object -> Virtual IPs, and select Create New -> Virtual IP. VIP Internal IP range will be behind FortiGate, VIP external IP range can be any IP address that is not overlapping, and external IP will be used for future access for Internal IP service, For example,  after connecting SSL VPN and accessing Internal resource 192.168.0.2 for RDP service, user need to use IP 172.16.0.2 instead of 192.168.0.2 

 

Name: SSLVPN_VIP

Interface: ssl.root
Type: Static NAT
External IP Address/Range: 172.16.0.1 - 172.16.0.254
Mapped IP Address/Range: 192.168.0.1 - 192.168.0.254

 

VIP.PNG 

  1. The separated user group, SSL VPN portal, and SSL VPN policy are created to avoid the change impacting all the other SSL VPN users. Move the SSL VPN user to the new user group with the private network overlapping with the local private network.
     

1.png

 

  1. Create the SSL VPN portal for the users with overlapping:

2.png

 

  1. Add Authentication/Portal Mapping:
     

3.png

 

  1. Create a firewall policy for SSL VPN users to access the virtual subnet (Policy & Objects -> IPv4 Policy and select 'Create New').

Name: SSLVPN-to-Internal

Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: SSLVPN_VIP
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable

 

Select 'OK' to save and move this policy to the top.

 

image.png

 

  1. Test by connecting an endpoint to SSL VPN and make a test attempt to reach a host in the internal network (for example, 192.168.0.2) by performing a ping to 172.16.0.2.

 

image.png

 

For setup with Central SNAT enabled: Follow step 1 for the VIP setup, but for the firewall policy configuration, configure the following:

 

Name: SSLVPN-to-Internal

Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: Server_Real_Subnet (i.e. 192.168.0.0/24)
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable


image.png

Follow step 3 for the testing process.

18616
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.