Hi all,
Would like to know whether there's a workaround for this.
Currently a /29 WAN subnet is created on a WAN 1. e.g. 202.188.1.130/29. Gateway is 202.188.1.129.
I want to separate a particular IP out e.g. 202.188.1.132 and connect it to another port e.g. Port 15 for SSL-VPN purpose.
By default, under the SSL-VPN settings, the box will only listen on the WAN 1 IP i.e. 202.188.1.130:443.
How can I make the box to listen to 202.188.1.132 for the SSL-VPN.
Thank you in advance for your guidance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You will not be able to set a IP on another interface that is already part of the /29 on your WAN1.
You could break up the /29 in two /30's, but would need extra config on the next hop router as well, and a switch in between if there are no other ports available on the next hop.
You could also do a VIP as per this thread but don't think that's what you are looking for as the original IP will also still be listening for VPN requests unless you block it...
[link]https://forum.fortinet.com/tm.aspx?m=111523[/link]
In the link I pasted they guy actually forwards it to his primary extarnal IP, so probably not what you are looking for.
You could also create a loopback interface, and assign any internal IP to it, like 10.40.1.1/30, or just a /32 as you only need one IP
Then create a VIP address with your second external IP and forward it to the IP you specified for the loopback on port 443
Then in the VPN settings you select the new loopback interface as the listening interface. I have done setups like that for IPSEC VPN so I am sure it should work for a SSL VPN setup.
You will not be able to set a IP on another interface that is already part of the /29 on your WAN1.
You could break up the /29 in two /30's, but would need extra config on the next hop router as well, and a switch in between if there are no other ports available on the next hop.
You could also do a VIP as per this thread but don't think that's what you are looking for as the original IP will also still be listening for VPN requests unless you block it...
[link]https://forum.fortinet.com/tm.aspx?m=111523[/link]
Hi ShawnZA,
Thanks for your time.
I read thru the link and did a check on the current box.
Silly question: what should the mapped IP be? the LAN IP for the box?
Thanks.
In the link I pasted they guy actually forwards it to his primary extarnal IP, so probably not what you are looking for.
You could also create a loopback interface, and assign any internal IP to it, like 10.40.1.1/30, or just a /32 as you only need one IP
Then create a VIP address with your second external IP and forward it to the IP you specified for the loopback on port 443
Then in the VPN settings you select the new loopback interface as the listening interface. I have done setups like that for IPSEC VPN so I am sure it should work for a SSL VPN setup.
I did a quick change on my home firewall, look at the attached image, create the loopback interface, create the VIP address and change the VPN settings to the new interface.
Then create the policy with the VIP to forward the SSL VPN traffic to your new internal loopback interface.
https://forum.fortinet.com/tm.aspx?m=149400
Also some info on setting up SSL VPN to a Loopback interface.
Hi ShawnZA,
Thank you for sharing the idea. I've followed the steps and was able to achieve the result.
Cheers.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.