ssl vpn portal (Web Mode)

turovskiy · ‎02-02-2015

Hellow all!

I need help.

I have fortigate 100D firmware v5.0,build4429

Use two ISP for WAN1 and WAN2

On WAN1 Enable Web Mode

I can not access to my intermal sub-network.

Use the debug command

diagnose sniffer packet any "dst host Internal_server_ip"

I noticed that the packet outgoing ip is IP_WAN1

I think that they should have ip IP_INTERNAL_INTERFACE

Thank you for help

Jeroen · ‎02-02-2015

turovskiy wrote:
I think that they should have ip IP_INTERNAL_INTERFACE

This is not complety right. If this was true you would get a round robin effect. This is something you don't want. The incoming interface will always be the outgoing interface.

Did you enter your portal settings right? And did you make policy's for the SSL VPN subnet to the "Internal subnet"

turovskiy · ‎02-02-2015

config vpn ssl web portal
edit "full-access"
set allow-access web ssh ping portforward
set theme gray
set page-layout double-column
config widget
edit 8
set name "Connection Tool"
set type tool
set column two
set allow-apps web ssh ping portforward
next
edit 4
set name "Corporate services"
set allow-apps web ssh portforward
config bookmarks
edit "Corporate portal"
set description "Corporate portal"
set url "http://192.168.0.X"
next
edit "Corporate mail"
set description "Corporate mail"
set url "https://192.168.19.X"
next
end
next
edit 5
set name "Tunnel Mode"
set type tunnel
set column two
set ipv6-split-tunneling disable
set ip-pools "ssl-vpn-co2-r"
next
edit 6
set name "Session Information"
set type info
next
edit 7
set name "FortiClient Download"
set type forticlient-download
set column two
next
end
next

diagnose sniffer packet any "dst host 192.168.19.X" 4
interfaces=[any]
filters=[dst host 192.168.19.X]
2.991760 co2-bk-m-1 out WAN1_IP -> 192.168.19.X: icmp: echo request

turovskiy · ‎02-02-2015

I am use metod #2

CO2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S* 0.0.0.0/0 [30/0] via X.X.X.X, wan1, [25/0]
                  [30/0] via X.X.X.X, GT-Internet, [30/0]
S 10.2.2.0/24 [10/0] is directly connected, co2-bk-m-1, [10/0]
C 10.10.0.0/21 is directly connected, lan
S 10.11.0.0/21 [10/0] via 10.10.7.254, lan
S 10.12.0.0/21 [10/0] via 10.10.7.254, lan
S 10.20.11.0/24 [10/0] is directly connected, co2-vl-m1
S 10.80.1.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 10.80.2.0/24 [10/0] is directly connected, co2-vl-m1, [10/0]
C 46.164.137.64/29 is directly connected, wan1
C 85.223.232.152/29 is directly connected, GT-Internet
S 192.168.0.0/23 [10/0] via 10.10.7.254, lan
S 192.168.3.0/24 [10/0] is directly connected, co2-kf-m-1, [5/0]
                       [10/0] is directly connected, co2-kf-b-1, [10/0]
S 192.168.5.0/24 [10/0] is directly connected, co2-kfs-m-1, [5/0]
                       [10/0] is directly connected, co2-kfs-b-1, [10/0]
S 192.168.6.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 192.168.7.0/24 [10/0] is directly connected, co2-sdf-m-1, [10/0]
S 192.168.11.0/24 [10/0] is directly connected, co2-lviv-m-1, [5/0]
                        [10/0] is directly connected, co2-lviv-b-1, [10/0]
S 192.168.14.0/24 [10/0] is directly connected, co2-kho-m-1, [5/0]
                        [10/0] is directly connected, co2-kho-b-1, [10/0]
S 192.168.15.0/24 [10/0] is directly connected, co2-kh-m-1, [5/0]
                        [10/0] is directly connected, co2-kh-b-1, [10/0]
S 192.168.17.0/24 [10/0] is directly connected, co2-lit-b-1, [10/0]
                        [10/0] is directly connected, co2-lit-m-1, [15/0]
S 192.168.18.0/23 [10/0] is directly connected, co2-bk-m-1, [10/0]
S 192.168.20.0/24 [10/0] is directly connected, co2-kff-m-1, [5/0]
                        [10/0] is directly connected, co2-kff-bb-1, [10/0]
S 192.168.21.0/24 [10/0] is directly connected, co2-kfa-m-1, [5/0]
                        [10/0] is directly connected, co2-kfa-bb-1, [10/0]
S 192.168.23.0/24 [10/0] is directly connected, co2-msk-m-1, [5/0]
                        [10/0] is directly connected, co2-msk-b-1, [10/0]
S 192.168.24.0/24 [10/0] is directly connected, co2-msks-m-1, [5/0]
                        [10/0] is directly connected, co2-msks-bb-1, [10/0]
S 192.168.31.0/24 [10/0] is directly connected, co2-bk-m-1, [10/0]
S 192.168.33.0/24 [10/0] is directly connected, co2-bel-m-1, [5/0]
                        [10/0] is directly connected, co2-bel-bb-1, [10/0]
S 192.168.42.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 192.168.44.0/24 [10/0] is directly connected, co2-sdf-m-1, [5/0]
S 192.168.45.0/24 [10/0] is directly connected, co2-lit-b-1, [5/0]
S 192.168.46.0/24 [10/0] is directly connected, co2-kf-m-1, [5/0]
S 192.168.47.0/24 [10/0] is directly connected, co2-bel-m-1, [5/0]
S 192.168.48.0/24 [10/0] is directly connected, co2-msk-m-1, [5/0]
S 192.168.49.0/24 [10/0] is directly connected, co2-kff-m-1, [5/0]
S 192.168.50.0/24 [10/0] is directly connected, co2-kho-m-1, [5/0]
S 192.168.51.0/24 [10/0] is directly connected, co2-laack-m-1, [5/0]
                        [10/0] is directly connected, co2-laack-bb-1, [10/0]
S 192.168.52.0/24 [10/0] is directly connected, co2-sh-m-1, [5/0]
                        [10/0] is directly connected, co2-sh-bb-1, [10/0]
S 192.168.53.0/24 [10/0] is directly connected, co2-gb-m-1, [5/0]
                        [10/0] is directly connected, co2-gb-bb-1, [10/0]
S 192.168.54.0/24 [10/0] is directly connected, co2-jac-m-1, [5/0]
                        [10/0] is directly connected, co2-jac-bb-1, [10/0]
S 192.168.56.0/24 [10/0] is directly connected, co2-bos-bb-1, [10/0]
S 192.168.57.0/24 [10/0] is directly connected, co2-xo-m-1, [5/0]
                        [10/0] is directly connected, co2-xo-bb-1, [10/0]
S 192.168.59.0/24 [10/0] is directly connected, co2-vl-m1, [10/0]
C 192.168.60.0/24 is directly connected, wi-fi-bio-guest
S 192.168.70.0/24 [20/0] is directly connected, co2_h_m2, [10/0]
                        [20/0] is directly connected, co2_h_m1, [20/0]
S 192.168.200.0/24 [10/0] via 10.10.7.254, lan, [10/0]
S 192.168.230.0/24 [10/0] via 192.168.230.53, GT-L2
C 192.168.230.52/30 is directly connected, GT-L2

turovskiy · ‎02-02-2015

Hello!

        set srcintf "wan1"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "pridn-net-g" "co2-net-g" "co-net"
        set action ssl-vpn
        set global-label "SSL VPN"
        set identity-based enable
            config identity-based-policy
                edit 2
                    set schedule "always"
                    set logtraffic disable
                    set groups "vpn-users"
                    set service "ALL"
                    set sslvpn-portal "full-access"
                next
            end

turovskiy · ‎02-02-2015

I am use Connection Tool Web Portal and PING 192.168.19.254

the result

# diagnose sniffer packet any "dst host 192.168.19.254 " 4

interfaces=[any] filters=[dst host 192.168.19.254 ] 4.147289 co2-bk-m-1 out IP_WAN1 -> 192.168.19.254: icmp: echo request

Using the current policy packets are forwarded to the appropriate interface, but SOURCE-IP incorrect (IP-WAN1)

turovskiy · ‎02-02-2015

The situation has not changed

mmishra_FTNT · ‎02-02-2015

Hello,

Which method you are using to ping the destination

1>Click on connect after logging in to the SSL portal and downloading Forticlient from browser?

2>Or using connection tool from SSL portal after logging in?

It should be latter as you have mentioned web mode but just to sure.

Also could you share output of command:

get router info routing-table all

mmishra_FTNT · ‎02-02-2015

Hello,

Routing appears to be in place this is the route which should be used:

S 192.168.18.0/23 [10/0] is directly connected, co2-bk-m-1, [10/0]

Regardless of distance and priority for default route as this is more specific route could you please share firewall policies created with action SSL-VPN

Iescudero · ‎02-02-2015

Hi Everyone!

just for check, maybe are a router policy applied??