SSLVPN no outbound access

CBlt · ‎04-22-2022

Please advise what else I can look in to if you have any ideas:

Issue: SSLVPN connection can access internal network, but cannot browse internet while connected via tunnel; web-access works.

Details: running 80F on 7.0.2 clients running Forticlient 7.0.1.0083

Firewall policies exist both inbound with NAT disabled and no inspection/policies currently

Split tunnel is purposefully disabled

SAML login with Azure works perfect

Tunnel and web access are enabled on coresponding portal/only web works

SSL Debug log

Configurations below

SSL Settings:

config vpn ssl settings
set servercert "~~name~~SSLVPN"
set idle-timeout 0
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "OUTSIDE"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "VPN Users"
set portal "tunnel-access"
next
edit 2
set groups "saml-group01"
set portal "~~name~~ SSL-VPN"
next

Interface Config:

edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 4

Portal Config:

edit "~~name~~ SSL-VPN"
set tunnel-mode enable
set web-mode enable
set limit-user-logins enable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
config bookmark-group
edit "gui-bookmarks"
config bookmarks

Firewall Policies:

edit 15
set name "SSLVPN"
set uuid 513e6b3a-c265-51ec-5ad0-b22a95256b41
set srcintf "ssl.root"
set dstintf "OUTSIDE"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "saml-group01"
next
set name "SSLVPN_SAML"
set uuid e305cd54-c262-51ec-c1d6-90d0b7341dc3
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "saml-group01"

pjang · ‎04-22-2022

Unless I'm missing something, it looks to me like Source NAT isn't turned on for Policy 15, the SSL-VPN to Internet policy.

You're using a full-tunnel SSL-VPN (set split-tunneling disable), so all traffic is shuttled over the VPN in this case, but you still need to NAT your address from the private IP range used by your SSL-VPN to your externally-routable Public IP before going out to the Internet (I'm assuming this is all using IPv4 since that is more common to see right now).

- Give 'em the ol' FortiRazzle Dazzle

View solution in original post

pjang · ‎04-22-2022

Unless I'm missing something, it looks to me like Source NAT isn't turned on for Policy 15, the SSL-VPN to Internet policy.

You're using a full-tunnel SSL-VPN (set split-tunneling disable), so all traffic is shuttled over the VPN in this case, but you still need to NAT your address from the private IP range used by your SSL-VPN to your externally-routable Public IP before going out to the Internet (I'm assuming this is all using IPv4 since that is more common to see right now).

- Give 'em the ol' FortiRazzle Dazzle

CBlt · ‎04-22-2022

Thank you. Sometimes I just need someone to point out simple things Im over thinking apparently.

Enabled NAT on Outbound and tunnel is now operational.

SSLVPN no outbound access

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website