Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lassaad
New Contributor

Ping Problem after SSL VPN Connection

Hi I ' m using fortigate SSL VPN to setup vpn tunnel between a computer in external network ( internet ) and our network behind fortigate gateway after verification in our forum i test with ceation local user and ssl profiles etc ... when i try to connect tou our network using SSL VPN server : ip adresse of our gateway:10433 username and password connection ==)>ok but i can ping only to my ip adresse not for all other network ip adresse and i can not access to our sharing ressources Could you give me solution for this problem Thank You
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
23 REPLIES 23
darrencarr
New Contributor II

Agree with Eric here... Why don' t you split up your ranges properly i.e. have a dedicated properly configured subnet for you ssl-vpn IP range. If you don' t have these defined correctly the routing will get screwed up. In my test lab (just setup) I have the following: Internal = 192.168.2.0/24 ssl-vpn ip range = 10.185.200.0/24 Policies External -> ssl.root ACTION = SSLVPN SERVICE = ANY ssl.root -> Internal ACTION = SSLVPN SERVICE = ANY When I connect to the VPN I get allocated IP 10.185.200.1 GATEWAY 10.185.200.1 (All good so far) I then initiate a PING from my host, I watch the traffic pass through the firewall. My host is configured correctly, I am allowing PING, etc to the machine and the machines gateway is 192.168.2.1 which is an interface defined on my Fortigate in my test lab, so the machine has a route back to the external host. Looks like your IP addressing needs to be tidied up and your route for the destination network needs to be c onfigured correctly. In my example above the configuration would be: DESTINATION: 10.185.200.0/24 DEVICE: ssl.root GATEWAY: 0.0.0.0 (default) DISTANCE: 10 (default) Hope this helps?
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
abelio

ORIGINAL: darrencarr Policies ... ssl.root -> Internal ACTION = SSLVPN SERVICE = ANY
excuse me but, ACTION must be ACCEPT here, not sslVPN

regards




/ Abel

regards / Abel
darrencarr
New Contributor II

sorry that was a typo, I had it correct earlier on in the thread!
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
darrencarr
New Contributor II

Also, refer to this KB article http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=12948&sliceId=1&docTypeID=DT_KCARTICLE_1_1 Policies are slightly different in the KB article, as compared to what I have defined. I have only tested the policies I have defined earlier in the thread.
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Lassaad
New Contributor

Hello Team Thank you very much for you help everything is ok Please can you help me in this point we are using routing ssl users ip range to ssl.root we are using settings like you we are connecting to our local network with success everything is ok we can access our website inside also we can' t access our vpn tunneling (for exemple other VLAN with vpn ) why our ip and our gateway are same ?? Now we can' t access to internet we are using ISASERVER as a firwall in our LAN we want to use our gateway when we connect to our company to outside with ssl vpn Thank you
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
rwpatterson
Valued Contributor III

ORIGINAL: Lassaad we can access our website inside also we can' t access our vpn tunneling (for exemple other VLAN with vpn )
You create the access. Make a policy from ssl.root => VLAN
why our ip and our gateway are same ??
I don' t know, but it works...
Now we can' t access to internet we are using ISASERVER as a firwall in our LAN we want to use our gateway when we connect to our company to outside with ssl vpn
If the FGT is the edge router, then you need a policy...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Lassaad
New Contributor

Hello Team Can you plzz see my problem Thank You
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
Lassaad
New Contributor

If the FGT is the edge router, then you need a policy...
Can you please explain to me the two policy to create for this problem First policy from ssl.root => VLAN what about the second ?? Thank you
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
Lassaad
New Contributor

Hello team for internet connexion it' s ok but my problem now to connect to another vlan Can you please explain to me the policy for this connexion ( we are using vpn ) Thank you
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
oukabri Lassaad Information Technology Engineer ATU Tunisie S.A.R.L Zine El Abidine Ben Ali Enfidha International Airport Tunis-TUNISIA Phone : (+216) 98 702 603 www.atu.com.tr
darrencarr
New Contributor II

Hello, To make it easier to understand what you are trying to achieve, or to resolve, can you put together a basic diagram of your network layout? I am confused about the VLAN you are talking about? Make it clear in the diagram how the network is layed out, where this VLAN exists, and the role of the Fortigate (guessing this is doing your routing between your VLANs)??
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors