Hi Guys,
I am Ernest and new to Fortigate.
I have two LANs in my network ( 192.168.0.0/16 and 172.20.0.0/16)
There is routing defined in the core between these two LANs which allows access to services and applications on either side .
My Fortigate Firewall however is directly connected to an interface on the 192.168.0.0 network .
I have configured on the FG Firewall ssl vpn access to the network , my problem however is that I am unable to reach the 172.20.0.0 network over the SSL VPN Connection.
I would really appreciate your input as to how to resolve this.
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Shawn,
The connection now works after restarting the box. A bit strange it took a reboot to take effect but its working now.
Your advice has been eye-opening and I am grateful for the support.
Thanks.
Are you using split tunneling for the VPN?
If yes did you also define the 172.20.0.0/16 in there to route for VPN clients?
And did you also add it to the firewall policy to allow your VPN traffic to both 192.168.0.0/16 and 172.20.0.0/16?
Hi Shawn,
Thanks for the response.
I have enabled split tunneling, Also I created a static route via the LAN interface to the 172.20.0.0 network
and created a policy allowing SSL VPN access to both networks.
I am however only able to reach the 192.168.0.0..
I do not want to create another ptp link just for access to the second lan but that may be the last resort.
Did you define 172.20.0.0/16 in the Split Tunneling routing addresses?
If you look a the screenshot, do you have both 192.168.0.0/16 and 172.20.0.0/16 in there as routing addresses?
And can you browse the internet from the 172.20 network? If you only added a static route in to that network now I take it internet was never accessible from that range.
Can you ping your firewall internal lan IP from a device in that range?
Hi Shawn,
from the firewall interface, I am able to ping and reach devices in the 172.20.x.x network.
Hi Shawn,
The connection now works after restarting the box. A bit strange it took a reboot to take effect but its working now.
Your advice has been eye-opening and I am grateful for the support.
Thanks.
If ping is allowed on the interface then you need to check if routing is in fact working 100%. Can you ping from your firewall internal interface to one of the devices in the 172.20.0.0/16 range?
Do a ping from the FW:
First set the source IP for the ping command on the Fortigate:
Set source IP for Ping on Fortigate:
execute ping-option source 192.168.0.1 - Change to your internal IP of Fortigate
Ping device:
execute ping 172.20.1.25 Change to pingable IP in the 172 range
If your firewall can't ping a device in that range then there is a routing issue that you need to sort out first.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.