Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gypsy_Dave
New Contributor III

SSL VPN remote access to multiple VLANS

Hi all,

I've got SSL-VPN working with the default LAN VLAN 192.168.178.x and my remote users have access.

I want to give them access to VLAN2 192.168.7.x as well. I've added the subnet to the destination field of the rule under policy and objects, IPv4 Policy but my remote clients cant ping or reach the VLAN2 network. 

Do I need to define somewhere else too?

Regards,

Rob

10 REPLIES 10
tanr
Valued Contributor II

Along with the security policy, have you set up a static route?

Gypsy_Dave
New Contributor III

tanr wrote:

Along with the security policy, have you set up a static route?

I've only done the security policy. Do I need a static route created manually? 

Gypsy_Dave

So I would need a static route created with the following:

destination subnet:MY VLAN2 subnet

Interface SSL-VPN tunnel Interface

gateway: ???????

lobstercreed

Do you have any Routing Addresses defined in your SSL-VPN portal under Tunnel Mode -> Split Tunneling?  If so, you need to include the VLAN2 subnet address there as well.

lobstercreed

Also, I assume your VLAN2 subnet is on the same LAN interface/zone that your 192.168.178.x network is on?  If not, then your policy between the SSL-VPN and LAN will not match even though you add the additional address.  In that case you will need a separate policy for SSL-VPN to whatever interface VLAN2 is on.

 

Gypsy_Dave

lobstercreed wrote:

Do you have any Routing Addresses defined in your SSL-VPN portal under Tunnel Mode -> Split Tunneling?  If so, you need to include the VLAN2 subnet address there as well.

I have split tunnelling enabled and nothing in Routing address. I have my source IP pool configured. Should I define the vlan2 subnet in addresses and add it to Routing address? 

lobstercreed

No, as long as you have a policy that includes the destination address and the appropriate user(s)/group(s) in the source, they should get the route.  They do have to disconnect and reconnect from the tunnel to see the additional route though if you've made the change after someone had already connected.

tanr
Valued Contributor II

@lobstercreed, thanks for the correction on routing.  I was thinking of a different setup.

souvikt
New Contributor

Step 1: under VPN > SSL-VPN Portals edit the split tunnel. Add necessary VLANs in Routing address override to define destination network that will be routed through tunnel.

Step 2: Configure SSL VPN firewall policy. Add those same VLANs under destination. 

 

These two steps will allow remote user to access internal VLANs. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors