Hello!
I manage a VDOM(not root) HW accelerated with NP6XLite on Fortigate 100F(FortiOS 6.2.9).
I create a VPN as indicated in the cookbook titled "SSL VPN split tunnel for remote user" (https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/307303/ssl-vpn-split-tunnel-for-remote-u...).
Instead of wan as Listen on Interface(s) i put the accelerated processor interface NPU_vlink1 (ip 172.10.12.2);
and in Listen on port I set 20443.
A tip box inform me that "Web mode access will be listening at [link]https://172.10.12.2:20443[/link]".
But 172.10.12.2:20443 is a port on the internal interface of my NPU_vlink1.
So I can not reatch it from the extern of the firewall(internet)
If I nmap it
nmap -p 20443 195.67.64.22
i see
port state
20443/tcp filtered
What I need to do to expose my vpn server on the internet?
Do you have some tips?
Thank You!
P.
If you want to terminate access at an vdom, regardless if it's for VPN or any other service, you need to have either a routable public IP on an interface (vdom-link in your case) in the vdom or a VIP (20443) forwarded from a public IP facing the internet to the interface (vdom-link).
Why do you want to terminate the SSL VPN at the internal interface of your vdom? That might not work if it's not coming from the outside (LAN side) of the interface. At least it would require a policy to come through the vdom to reach the interface.
It's supposed to be VIPed to your npu_vlink1 side from the external interface:172.10.12.2. Then the VDOM can terminate the VPN there.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.