Hi!
Maybe I found a bug in my Fortigate 300C, 5.0.5
A VPN User with the VPN IP 10.10.10.2 is able to ping 192.168.1.11 and that should be possible
Here is the Debug Log:
2014-04-11 04:31:36 id=13 trace_id=127 msg=" allocate a new session-12345678"
2014-04-11 04:31:36 id=13 trace_id=127 msg=" find a route: gw-192.168.1.11 via port5"
2014-04-11 04:31:36 id=13 trace_id=127 msg=" use addr/intf hash, len=7"
2014-04-11 04:31:36 id=13 trace_id=127 msg=" find SNAT: IP-192.168.1.1, port-12345"
2014-04-11 04:31:36 id=13 trace_id=127 msg=" Allowed by Policy-81: SNAT"
2014-04-11 04:31:36 id=13 trace_id=127 msg=" SNAT 10.10.10.2->192.168.1.1:62464"
2014-04-11 04:31:37 id=13 trace_id=128 msg=" vd-root received a packet(proto=1, 10.10.10.2:1->192.168.1.11:8) from ssl.root."
2014-04-11 04:31:37 id=13 trace_id=128 msg=" Find an existing session, id-12345678, original direction"
2014-04-11 04:31:37 id=13 trace_id=128 msg=" enter fast path"
Here is the policy
edit 81
set srcintf " port9"
set dstintf " port5"
set srcaddr " all"
set dstaddr " LAN3"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set groups " GroupXY"
set service " Costum Service TCP 12345"
set sslvpn-portal " tunnel-access"
next
end
next
The Policy should only allow " Costum Service TCP 12345" , and nothing else, no ping!!!
Whats the Problem?