Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kuoman
New Contributor

SSL VPN - PC connected via SSL VPN is not ping-able

When the PC is connected via SSL VPN, it gets an IP (ie. 192.168.1.101).  The PC can ping any devices on 192.168.1.0/24, however when I tried to ping to the PC (192.168.1.101).  it is not reachable.  Not sure if there is some additional setting that I need to config?

 

Remote PC (192.168.1.101)  <=> FortiGate FW <=> network elements (ie. 192.168.1.50)

 

PING from 192.168.1.101 to 192.168.1.50 works

PING from 192.168.1.50 to 192.168.1.101 is not working (unreachable)

1 Solution
Alby23
Contributor II

Do you have configured a policy with Source Interface: your LAN and destination Interface: ssl.root?

View solution in original post

5 REPLIES 5
Alby23
Contributor II

Do you have configured a policy with Source Interface: your LAN and destination Interface: ssl.root?

rwpatterson
Valued Contributor III

Never going to work. The source and destination are on the same subnet. The FGT creates a virtual interface to connect to the LAN. If you look at the VPN monitor you will see the real IP address as well as the address the firewall is handing out to connect in. You MAY be able to ping the ssl-root IP address. I have never tried it, but you will not be able to ping the native address in this situation. This is why I stress when you create your network, don't be lazy and change the subnet on the system to anything but the default. Changing it before everyone gets set up is far easier than after you have 100 devices on it and run into an issue. (case in point)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Alby23

If the subnet is more specific that a /24 it could work  even if I think is a /24

 

If the problem is the subnet, neither the ssl --> lan should work but he reports that it's working so two are the scenarios:

 - he has applied nat to the incoming traffic

 - the subnet is more specific

 

If the LAN and the SSL are on the same subnet, anyway, this is not a great problem.

He can easily change the address range assigned to the SSL Clients. No big deal.

kuoman
New Contributor

hi rwpatterson and Alby23, thank you for your comments.  the SSL Clients and the Network elements are on different subnets.  But they are all private IPs.

 

SSL VPN Tunnel Address: 192.168.200.100 ~ 192.168.200.150

Network Element Addresses: 192.168.2.0/24

Under IPv4 policy, I do not have LAN as source and ssl.root as destination - I follow the SSL VPN configure on the document site (http://cookbook.fortinet.com/ssl-vpn-for-remote-users/), NAT is enabled, what if I disabled NAT, since the client is getting IP from the SSL VPN Tunnel IP ranges.  I'll try adding that policy tomorrow and try it out again.

 

Below is what I have on the IPv4 policy

 

[Source]                                                                                         [Destination] ssl.root (sslvpn tunnel interface) <=> WAN interface SSLVPN_Tunnel_Address(192.168.200.100 ~ 192.168.200.150)         all (0.0.0.0/0)

 

ssl.root (sslvpn tunnel interface) <=> LAN interface SSLVPN_Tunnel_Address(192.168.200.100 ~ 192.168.200.150)         core (192.168.2.0/24)

 

cumafo
New Contributor

did you ever succeed with this?

/C

Labels
Top Kudoed Authors