Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kssupport
New Contributor

Created on ‎10-06-2020 02:17 AM

Internet access for VPN SSL CLIENT

hello there,

please help.

we using FG30E with firmware 5.6.12

we have created vpn ssl with tunnel mode, and client can connect successful.

we have create 3 policies (as shown video tutorial):

- WAN to VPN SSL, I don't think this have problem, since client can connect to vpn ssl.

- VPN SSL to LAN, I assume this has no problem, since client can access LAN after connect vpn ssl.

- VPN SLL to WAN, with configuration:

source: all IP, list of users vpn

destination: all

service: all

NAT: ON

AV: ON

accept connection.

 

fortigate restarting. client connect to vpn ssl, success.

but client can't access internet (trying browsing any website).

 

need help please. thank you

4539
0 Kudos
1 Solution
sw2090
SuperUser
SuperUser

Created on ‎10-06-2020 07:27 AM

you shouldn't allow wan to vpn. This is creating security whoes and you do not really need it.

for internet you need vpn to wan so that's ok. Does the client have a default route to your FGT over the vpn?

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3453
0 Kudos
5 REPLIES 5
sw2090
SuperUser
SuperUser

Created on ‎10-06-2020 07:27 AM

you shouldn't allow wan to vpn. This is creating security whoes and you do not really need it.

for internet you need vpn to wan so that's ok. Does the client have a default route to your FGT over the vpn?

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3454
0 Kudos
kssupport
New Contributor
In response to sw2090

Created on ‎10-06-2020 05:31 PM

hello.

 

noted. wan to ssl already deleted.

thanks

 

Does the client have a default route to your FGT over the vpn --> do we need to create static route for this?

source : all, gateway: gateway FG (internet), interface ssl root?

 

3418
0 Kudos
sw2090
SuperUser
SuperUser
In response to kssupport

Created on ‎10-06-2020 11:15 PM

Not on the FGT. The Route must be clientside.

Since we don't use SSL VPN I can't say much about how to push routes with it.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3418
0 Kudos
kssupport
New Contributor
In response to sw2090

Created on ‎10-07-2020 12:26 AM

noted. will check. thanks

 

3418
0 Kudos
fcb
Contributor
In response to kssupport

Created on ‎10-08-2020 01:21 PM

No Internet means cannot access a web page? I asking in case there is DNS or other issue

 

Depending on the mode of the VPN you will NOT have a default gateway on the client.

 

A great tool for this is the built in packet sniffer. Log into the web UI or via SSH and type exactly this:

 

diagnose sniffer packet any 'host 10.10.10.10 and port 443' 4

 

Obviously replace 10.10.10.10 with the IP that your SSLVPN client has when connected. Either break down the packets or paste them into a txt file and post them back

3418
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.