Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Michael_Boskovic
New Contributor

Change IP that SSL VPN service listens on

Is it possible to change the IP that the SSL VPN service responds to requests on? For example, I have a /28 block of IP' s from my ISP and I want the WAN interface to be .2 and the SSL VPN login page to be .3
Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA
Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA
9 REPLIES 9
ede_pfau
SuperUser
SuperUser

hi, and welcome to the forums! There is no setting for specifying the IP directly. Instead, you could try to use a VIP with port mapping: Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: say, 20443 mapped to : your primary WAN IP mapped to port: 10443 (default for SSL VPN) Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: custom service for tcp/20443 schedule: ... action: accept NAT: no Give it a try and let us know how it works.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
mark14

Summarizing for this moment there is one solution? 

 

ede_pfau wrote:
hi, and welcome to the forums! There is no setting for specifying the IP directly. Instead, you could try to use a VIP with port mapping: Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: say, 20443 mapped to : your primary WAN IP mapped to port: 10443 (default for SSL VPN) Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: custom service for tcp/20443 schedule: ... action: accept NAT: no Give it a try and let us know how it works.

Michael_Boskovic
New Contributor

Thanks for the reply! I tried the fix you recommended and everything seemed to work. Not the ideal solution I was hoping for, but serves as a valid alternative. Thanks for the help!
Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA
Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA
ede_pfau
SuperUser
SuperUser

Using a VIP for an additional public IP address is perfectly valid. The FGT will even respond to ARP requests for it just as if it was a " physical" address. Furthermore, the mapped-to address is " masked" , that is for incoming traffic the destination is NATted and for return traffic the source IP is NATted. Glad that it works for you now. Enjoy!
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
FatalHalt
Contributor II

I' m actually looking to do this same thing right now. Doing the VIP should work great for my purposes, however by doing that, wouldn' t the ' normal settings' of https//primarywan:10443 still serve to access the VPN? What I' d like to do is change the IP, using a VIP in this case is fine, but then not allow the normal settings to work. Am I thinking about this right?
ede_pfau
SuperUser
SuperUser

Right, a VIP opens just another IP+port access. You could block access to the original IP+port via a Local In policy I guess.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
FatalHalt
Contributor II

Just played around with this, and the local deny policy worked great. A VIP worked, but I also tried using a secondary wan1 IP, which worked as well, not sure which one I like more though.
ede_pfau
SuperUser
SuperUser

I' d go with a VIP anytime. First, it' s much more visible, and secondly, you can narrow it down to just 1 port. But it' s your choice...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
lobstercreed

Super old thread, I know, but it was referenced in a more recent post and I wanted to make sure y'all knew that you can actually set up a loopback interface to accomplish this. 

 

[ul]
  • Create a loopback with some private IP address and then set the SSL-VPN to listen only on the loopback interface.
  • Then create the VIP to point to the private IP on the loopback.
  • Lastly create a policy from your WAN to your loopback for HTTPS.[/ul]

    Boom, you have what you did here but without it listening on your actual public interface.  I did this years ago myself actually to solve the problem of having more than one ISP but wanting a consistent VPN address (using BGP peering for my ISPs).

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors