Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CBlt
New Contributor

SSLVPN no outbound access

Please advise what else I can look in to if you have any ideas:

Issue: SSLVPN connection can access internal network, but cannot browse internet while connected via tunnel; web-access works.

 

Details: running 80F on 7.0.2 clients running Forticlient 7.0.1.0083

Firewall policies exist both inbound with NAT disabled and no inspection/policies currently

Split tunnel is purposefully disabled

SAML login with Azure works perfect

Tunnel and web access are enabled on coresponding portal/only web works

SSL Debug log

 

Configurations below

SSL Settings:

  • config vpn ssl settings
    set servercert "nameSSLVPN"
    set idle-timeout 0
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set source-interface "OUTSIDE"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
    edit 1
    set groups "VPN Users"
    set portal "tunnel-access"
    next
    edit 2
    set groups "saml-group01"
    set portal "name SSL-VPN"
    next

Interface Config: 

  • edit "ssl.root"
    set vdom "root"
    set type tunnel
    set alias "SSL VPN interface"
    set snmp-index 4

Portal Config:

  • edit "name SSL-VPN"
    set tunnel-mode enable
    set web-mode enable
    set limit-user-logins enable
    set auto-connect enable
    set keep-alive enable
    set save-password enable
    set ip-pools "SSLVPN_TUNNEL_ADDR1"
    set split-tunneling disable
    config bookmark-group
    edit "gui-bookmarks"
    config bookmarks

Firewall Policies:

  • edit 15
    set name "SSLVPN"
    set uuid 513e6b3a-c265-51ec-5ad0-b22a95256b41
    set srcintf "ssl.root"
    set dstintf "OUTSIDE"
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set groups "saml-group01"
    next
  • set name "SSLVPN_SAML"
    set uuid e305cd54-c262-51ec-c1d6-90d0b7341dc3
    set srcintf "ssl.root"
    set dstintf "internal"
    set action accept
    set srcaddr "SSLVPN_TUNNEL_ADDR1"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set groups "saml-group01"
1 Solution
pjang
Staff
Staff

Unless I'm missing something, it looks to me like Source NAT isn't turned on for Policy 15, the SSL-VPN to Internet policy.

You're using a full-tunnel SSL-VPN (set split-tunneling disable), so all traffic is shuttled over the VPN in this case, but you still need to NAT your address from the private IP range used by your SSL-VPN to your externally-routable Public IP before going out to the Internet (I'm assuming this is all using IPv4 since that is more common to see right now).

- Give 'em the ol' FortiRazzle Dazzle

View solution in original post

2 REPLIES 2
pjang
Staff
Staff

Unless I'm missing something, it looks to me like Source NAT isn't turned on for Policy 15, the SSL-VPN to Internet policy.

You're using a full-tunnel SSL-VPN (set split-tunneling disable), so all traffic is shuttled over the VPN in this case, but you still need to NAT your address from the private IP range used by your SSL-VPN to your externally-routable Public IP before going out to the Internet (I'm assuming this is all using IPv4 since that is more common to see right now).

- Give 'em the ol' FortiRazzle Dazzle
CBlt
New Contributor

Thank you. Sometimes I just need someone to point out simple things Im over thinking apparently.

Enabled NAT on Outbound and tunnel is now operational.

Labels
Top Kudoed Authors