Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zlimmen
New Contributor II

SSL-vpn -> LAN -> ipsec

Hi,

so I have a customer that wants me to set up ssl-vpn so he can access the company LAN and he also wants access to a RDP on a ipsec connection.

 

the ssl-vpn part is no problem, but the part that he wants to use rdp against the ipsec connection, the connection against the ipsec has be from the company LAN.

 

is VIP the way to go? if yes, please give me an example.

 

Thanx in advance :)

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

On SSL VPN side, if it's split-tunnel, you need to add RDP destination address or subnet to come though the SSL VPN tunnel.

On IPSec side, you need to add SSL VPN's subnet to IPSec tunnel to pass-through on both local and remote sides, just like adding a new LAN subnet for the IPSec.

zlimmen
New Contributor II

wow, I forgot about this post, sorry.

 

the problem is that I do not have access to the ipsec on the other side, so the question is how to NAT ssl vpn trough the LAN to ipsec, so that the otherside thinks is is comming from company LAN.

 

hopefully you understand my problem.

Toshi_Esumi

Then, reserve/exclude an IP from LAN DHCP (in case DHCP) and create an ippool like below and use it in a separate policy from ssl.root to IPSec interface.

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-transparent-54/3-Networking/2-NAT/2-S...

 

hawada

Hello,

 

I know that this is any old post, but there are 2 solutions for this scenario:

The first works as Toshi Esumi suggested.

 

The second solution is:

1- On SSL VPN side, if it's split-tunnel, you need to add RDP destination address or subnet to pass through the SSL VPN tunnel. 2- IPsec tunnel should be up and running between LAN subnet and destination subnet.

3- Configure an SSL policy where Source is "SSL root interface", and Destination the "IPsec interface". Then enable NAT and create an IPPool using a free IP address from the LAN subnet. All incoming traffic coming through SSL VPN interface trying to reach the destination subnet will be NATed by the IPPool.

 

Regards,

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors