Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hillsitsupp
New Contributor II

SSLVPN natting traffic to resource behind 2nd Fortigate

Hi

 

We have a SSLVPN Web portal on one Fortigate. When using it to get to resources behind a tunnel on another Fortigate, it seems to NAT the traffic despite the policy having NAT turned off.

 

Fortinat.png

 

FG2 sees the source address of traffic to AWS being 192.168.1.1 instead of 10.10.1.1

 

Can anyone explain what's going on here?

1 Solution
hillsitsupp

Edited:

 

Looks like this is expected behavior for web SSLVPN.

 

"The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy."

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-used-by-FortiGate-to-access-reso...

 

Thanks for taking a look for me.

View solution in original post

7 REPLIES 7
AEK
SuperUser
SuperUser

Hi

Are you using Central SNAT on FG1?

AEK
AEK
hillsitsupp
New Contributor II

No, central NAT is disabled.

Toshi_Esumi
SuperUser
SuperUser

If you're not using Central NAT as @AEK is asking, please share us the policy config at the FG1:
    ssl.root -> FG1's internal interface that has 192.168.1.1

in CLI. You need to get in "config firewall policy" then find the policy's ID "edit x", then "show".

 

Toshi

hillsitsupp

Edited:

 

Looks like this is expected behavior for web SSLVPN.

 

"The source IP address used by the FortiGate when accessing SSL VPN Web Portal bookmarks is the IP address configured for the outgoing interface specified in the SSL VPN security policy."

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-used-by-FortiGate-to-access-reso...

 

Thanks for taking a look for me.

Toshi_Esumi

Yes, "web mode" traffic is basically initiated by the FGT. And that's why the other mode with FortiClient is called "tunnel mode".

Toshi

smayank
Staff
Staff

Hello 

This is the expected behaviour of SSL VPN Web mode. First user connect with firewall and when traffic goes to LAN it takes LAN interface IP address in source.

Thanks & Regards
Mayank Sharma

NunoLour
New Contributor II

.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors