Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adogra
New Contributor

Need to allow https access to internal server IP on specific port from remote s2s vpn off

Hi folks,

 

I need to allow web access of server on remote office via S2S ipsec vpn. remote office user can ping to that server but can't access the access URL which is https:\\192.168.x.x:9090. though they can access this server using external ip.

 

Just wondering if I need to create an static route and how?

 

Thanks

A

 

 

3 REPLIES 3
rwpatterson
Valued Contributor III

If the user can PING that IP then the route is already there. You need to enable a policy that will allow HTTP from that user to the server over the VPN.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
adogra

rwpatterson wrote:

If the user can PING that IP then the route is already there. You need to enable a policy that will allow HTTP from that user to the server over the VPN.

Thanks. yes indeed I can ping that server from other end. but not able to access it on port 9090. e.g http://servername:9090. When I tracert server ip from remote office end. it points to other ISP link that we have but not primary internet link that we want to route this traffic onto.

 

we had VIP  for this server name and policy route for this on secondary ISP  that may be causing it not to go traffic on new primary ISP

 

sw2090
Honored Contributor

Do I get that right?

 

Remote user can ping 192.168.x.x but cannot access https:\\192.168.x.x:9090.

In this case like rwpatterson wrote you already must have the routing because otherwise ping won't work.

Probably you need a policy to allow the traffic (on BOTH sides).

 

Generally in this case you need:

 

On remote side:

 

 a (static) route to 192.168.x.x or the whole subnet via your vpn

 one or more policy that allow traffic from remote subnet(s) or host(s) to 192.168.x.x (or the whole subnet)

 

On your side:

 

 a (static) route to the remote subnet(s) since your don't have any interface in those here ;)

 one or more policy that allow traffic from remote subnet(s) or hosts(s) to 192.168.x.x (or the whole subnet)

 

I'm not sure about if you on this side will need the backwards policy too. I'd have to look that up on my FGTs here if neccessary.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors