When I VPN I only want 1 IP allowed on a particular subnet. Is this possible? I tried creating the Address 192.168.1.120/32 and adding that the destination but it does not work.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is it the allowed internal destination to get to from the client side? Or IP pool for the SSL VPN client?
The 192.168.1.0/24 is not in the destination for the SSL VPN.
So you configured it under SSL VPN Portals->Source IP Pools (GUI), or config vpn ssl web portal/edit "portal_name"/set ip-pools </32_name> (CLI)? I think it should work.
I apologize if I am not explaining this correctly. I am new to the Fortinet firewall. What I did was create the address under Policy & Objects(Called TEST). After that I went to IPV4 Policy. I have a SSL-VPN tunnel interface (ssl.root) and under Destination I added that address (TEST). Not sure if it because I dont have the gateway? But I tried using the gateway instead of the of the IP and that didnt work either. I could not PING it. Ping is enabled because I can ping the other 2 subnets. The other 2 subnets are /24.
Still not clear what you want to do. Do you want to access one SSL VPN client machine from an internal network directly connected to the FGT?
When I VPN I want to be able to hit that single host on that subnet. I don't want to open the whole /24. It's just 1 IP that hosts a web page that i would need to get to while connected to VPN.
Post a screenshot showing the address objects create/used along with the actual firewall rule(s) and did you confirm even with the entire /24 range you can actually reach/connect to that single host?
intel233 wrote:When I VPN I want to be able to hit that single host on that subnet. I don't want to open the whole /24. It's just 1 IP that hosts a web page that i would need to get to while connected to VPN.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
The SSL-VPN tunnel interface is just that - an interface - you still need to configure it, including type of access, and a remote user (ID) to use/connect to it. The overall view of SSL-VPN is provided here.
What exactly are you trying to do? The SSL-VPN connection set up is primarily used by remote users outside (e.g. on Internet) to connect through the fgt firewall to access resources on the inside (behind) the fgt.
If you have multiple subsets behind the fgt firewall (e.g. 192.168.1.*, 192,168.2.*, etc.) you generally created firewall rules between the subnets (interfaces) with NAT disabled.
intel233 wrote:I apologize if I am not explaining this correctly. I am new to the Fortinet firewall. What I did was create the address under Policy & Objects(Called TEST). After that I went to IPV4 Policy. I have a SSL-VPN tunnel interface (ssl.root) and under Destination I added that address (TEST). Not sure if it because I dont have the gateway? But I tried using the gateway instead of the of the IP and that didnt work either. I could not PING it. Ping is enabled because I can ping the other 2 subnets. The other 2 subnets are /24.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
intel233 wrote:When I VPN I only want 1 IP allowed on a particular subnet. Is this possible? I tried creating the Address 192.168.1.120/32 and adding that the destination but it does not work.
Yes that's normal to lock your VPN down to single IP's ports etc. Who allows everything, that would be crazy!
Is that /32 in a new range that you are using? Has that been specified as a routing address the VPN clients can access under the VPN Portal settings? If not add it there as well or else the new rule will not work....
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.