Hi all,
I've got SSL-VPN working with the default LAN VLAN 192.168.178.x and my remote users have access.
I want to give them access to VLAN2 192.168.7.x as well. I've added the subnet to the destination field of the rule under policy and objects, IPv4 Policy but my remote clients cant ping or reach the VLAN2 network.
Do I need to define somewhere else too?
Regards,
Rob
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Along with the security policy, have you set up a static route?
tanr wrote:I've only done the security policy. Do I need a static route created manually?Along with the security policy, have you set up a static route?
So I would need a static route created with the following:
destination subnet:MY VLAN2 subnet
Interface SSL-VPN tunnel Interface
gateway: ???????
Do you have any Routing Addresses defined in your SSL-VPN portal under Tunnel Mode -> Split Tunneling? If so, you need to include the VLAN2 subnet address there as well.
Also, I assume your VLAN2 subnet is on the same LAN interface/zone that your 192.168.178.x network is on? If not, then your policy between the SSL-VPN and LAN will not match even though you add the additional address. In that case you will need a separate policy for SSL-VPN to whatever interface VLAN2 is on.
lobstercreed wrote:Do you have any Routing Addresses defined in your SSL-VPN portal under Tunnel Mode -> Split Tunneling? If so, you need to include the VLAN2 subnet address there as well.
I have split tunnelling enabled and nothing in Routing address. I have my source IP pool configured. Should I define the vlan2 subnet in addresses and add it to Routing address?
No, as long as you have a policy that includes the destination address and the appropriate user(s)/group(s) in the source, they should get the route. They do have to disconnect and reconnect from the tunnel to see the additional route though if you've made the change after someone had already connected.
@lobstercreed, thanks for the correction on routing. I was thinking of a different setup.
Step 1: under VPN > SSL-VPN Portals edit the split tunnel. Add necessary VLANs in Routing address override to define destination network that will be routed through tunnel.
Step 2: Configure SSL VPN firewall policy. Add those same VLANs under destination.
These two steps will allow remote user to access internal VLANs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.