Hello,
We were using our Fortigate appliance for web-filtering in transparent mode for our network. Due to the ongoing pandemic, our company is now trying to use the same appliance to provide SSL-VPN services to our users, should they have to work remotely.
From what I read in the official documentation, a VDOM working in transparent mode can only handle IPSec VPNs (I think this was only meant to establish transparent VPNs between 2 appliances). Therefore, we had to resort to multi-VDOM in order to configure a SSL-VPN in a second VDOM (in NAT mode).
So I went ahead and configured the root (transparent) VDOM to use WAN1 plus a virtual switch consisting of all non-pair LAN ports and then, 'vdom-nat' VDOM (NAT) to use WAN2 (with an IP address assigned by our ISP from our fixated public IP pool) plus a second virtual switch consisting of all pair LAN ports.
Unfortunately, due to legacy (and ill designed) homebrew applications the company uses for the core business, every client must be present in the same subnet (192.168.0.0/22) on which is hosted with an unique IP. So I went ahead and armed with patience (and the documentation) I ended up making the following configs:
1. Generate an IP pool located in our LAN subnet (192.168.0.0/22) not managed by our DHCP in order for the SSL-VPN to lease to the clients:
config firewall address
edit "hs_sslvpn_pool" set uuid cb138e9c-67bb-51ea-f4b9-682fdef184e1 set type iprange set associated-interface "ssl.vdom-nat" set color 18 set start-ip 192.168.3.150 set end-ip 192.168.3.170 next
end
2. Configure the SSL-VPN portal:
config vpn ssl settings
set servercert "Fortinet_Factory" set idle-timeout 3600 set tunnel-ip-pools "hs_sslvpn_pool" set dns-server1 192.168.0.4 set dns-server2 192.168.0.5 set source-interface "wan2" set source-address "all" set source-address6 "all" set default-portal "tunnel-access" config authentication-rule edit 1 set groups "ug_sslvpn" set portal "sslportal_companyA" next end
3. Configure a security policy to not filter any kind of traffic coming from the SSL-VPN:
config firewall security-policy edit 1 set uuid 5a4afc78-67a6-51ea-36d2-9f4deedeee8a set name "sp_sslvpn_CompanyA" set comments "SSL-VPN access" set srcintf "ssl.vdom-nat" set dstintf "hs-vdnat-lan" set srcaddr4 "all" set dstaddr4 "all" set enforce-default-app-port disable set service "ALL" set action accept set schedule "always" set groups "ug_sslvpn" next
Afterwards, I ran a few tests to connect to the SSL-VPN. The Fortigate is providing an IP address from the IP pool I configured (192.168.3.150), but the host connecting to the VPN is not able to reach any of our hosts.
Is there anything I might be missing in the configuration? Is this a scenario possible for Fortinet's NAT SSL-VPN to handle? I know there's a cookbook that documents how to establish transparent to NAT communications, but the scenario it describes does not adapt to our current one.
Many thanks in advance for your thoughts / feedback.
Regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.