- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSLVPN no outbound access
Please advise what else I can look in to if you have any ideas:
Issue: SSLVPN connection can access internal network, but cannot browse internet while connected via tunnel; web-access works.
Details: running 80F on 7.0.2 clients running Forticlient 7.0.1.0083
Firewall policies exist both inbound with NAT disabled and no inspection/policies currently
Split tunnel is purposefully disabled
SAML login with Azure works perfect
Tunnel and web access are enabled on coresponding portal/only web works
SSL Debug log
Configurations below
SSL Settings:
- config vpn ssl settings
set servercert "nameSSLVPN"
set idle-timeout 0
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "OUTSIDE"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "VPN Users"
set portal "tunnel-access"
next
edit 2
set groups "saml-group01"
set portal "nameSSL-VPN"
next
Interface Config:
- edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 4
Portal Config:
- edit "
nameSSL-VPN"
set tunnel-mode enable
set web-mode enable
set limit-user-logins enable
set auto-connect enable
set keep-alive enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling disable
config bookmark-group
edit "gui-bookmarks"
config bookmarks
Firewall Policies:
- edit 15
set name "SSLVPN"
set uuid 513e6b3a-c265-51ec-5ad0-b22a95256b41
set srcintf "ssl.root"
set dstintf "OUTSIDE"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set groups "saml-group01"
next - set name "SSLVPN_SAML"
set uuid e305cd54-c262-51ec-c1d6-90d0b7341dc3
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set groups "saml-group01"
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless I'm missing something, it looks to me like Source NAT isn't turned on for Policy 15, the SSL-VPN to Internet policy.
You're using a full-tunnel SSL-VPN (set split-tunneling disable), so all traffic is shuttled over the VPN in this case, but you still need to NAT your address from the private IP range used by your SSL-VPN to your externally-routable Public IP before going out to the Internet (I'm assuming this is all using IPv4 since that is more common to see right now).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless I'm missing something, it looks to me like Source NAT isn't turned on for Policy 15, the SSL-VPN to Internet policy.
You're using a full-tunnel SSL-VPN (set split-tunneling disable), so all traffic is shuttled over the VPN in this case, but you still need to NAT your address from the private IP range used by your SSL-VPN to your externally-routable Public IP before going out to the Internet (I'm assuming this is all using IPv4 since that is more common to see right now).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. Sometimes I just need someone to point out simple things Im over thinking apparently.
Enabled NAT on Outbound and tunnel is now operational.
