- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fixing IP overlap using virtual IPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixing IP overlap using virtual IPs
Hi everyone. I'm new to the community and Fortinet in general. And it's exciting learning about all of the features of the fortigate.
This is likely a very simple issue to many of you.
I'm facing an predicament where some users are trying to access internal office resources abroad using SSL VPN, but seem to be facing a conflict because their home networks fall into the same subnet (192.168). Rather than re-addressing their entire home, or the office network, I've been following this guide which suggests virtual IP mapping might be an elegant solution: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-with-overlapping-subnets/ta-...
However, when I test it myself, I can connect to the VPN tunnel, but none of the local IP addresses get mapped to the new address ranges that I specify.
Admittedly, I get a bit confused by the terminology used in the UI, (such as "External IP address range") I'm not exactly sure which IP range I should put there. Is it the VPN tunnel IP ranges, or the user's home network range, or something else?
Any help or advice would be greatly appreciated.
Labels:
- Labels:
-
FortiClient
-
FortiGate
-
SSL-VPN
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Example:
SSLVPN remote user's local wifi subnet is 192.168.0.1/24 and the internal office lan is also 192.168.0.1/24
In this case, the internal IP range should be 192.168.0.1-192.168.0.254 the external IP address is the address you will map with your internal range. That means this address(external) will be installed on the user's PC and can be verified with the "route print" command on Windows. The purpose of the external address is to provide a unique address to the user that should not conflict with the local ip address space of the user. When user ping the address 172.16.0.1 , the fortigate will translate this address to 192.168.0.1 and will send the request to your internal network via the policy and VIP.
Amritpal Singh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. Although I’m still a bit confused by what you mean with, “this address(external) will be installed on the user's PC”
So I should add the external IP addresses as something unique? Does it need to be a specific alternate range or can it be arbitrary?
I’ll test this again and report back the results
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
For the external IP address, it would be the one that will be used by the SSL VPN overlapping users to access the real servers internally.
Here is the scenario below:
External IP address 172.16.0.1
Internal IP address 192.168.0.1
For SSL VPN overlapping users to reach 192.168.0.1 on your internal network, they need to reach 172.16.0.1 instead of using the internal IP address.
You can assign any external IP address on your settings as long as they are not used on your network.
Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @4wheels,
"External IP address range" should be a dummy subnet (an unused subnet). So you are connected to the VPN, you will access that dummy subnet instead of 192.168.x.x. It will be mapped by the FortiGate accordingly.
Regards,
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Accessing SSL VPN addresses from a... 736 Views
- Dual WAN on same ISP 1522 Views
- The virtual IP is overlapped with... 9910 Views
- Problems with Virtual Clustering, SNMP and... 7469 Views
Labels
-
FortiGate
7,212 -
FortiClient
1,423 -
5.2
801 -
5.4
639 -
FortiManager
623 -
FortiAnalyzer
463 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiSandbox
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Virtual IP
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Zone
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1083 | |
| 892 | |
| 531 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.