Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
turovskiy
New Contributor

Created on ‎02-02-2015 03:06 AM

ssl vpn portal (Web Mode)

Hellow all!

I need help.

I have fortigate 100D firmware v5.0,build4429 

Use two ISP for WAN1 and WAN2

On WAN1 Enable Web Mode

I can not access to my intermal sub-network.

Use the debug command 

                      diagnose sniffer packet any "dst host Internal_server_ip"  

I noticed that the packet outgoing ip is IP_WAN1

I think that they should have ip IP_INTERNAL_INTERFACE

Thank you for help

 

 

 

10161
0 Kudos
12 REPLIES 12
Jeroen
Contributor

Created on ‎02-02-2015 03:24 AM

turovskiy wrote:

I think that they should have ip IP_INTERNAL_INTERFACE

This is not complety right. If this was true you would get a round robin effect. This is something you don't want. The incoming interface will always be the outgoing interface.

 

Did you enter your portal settings right? And did you make policy's for the SSL VPN subnet to the "Internal subnet"

5278
0 Kudos
turovskiy
New Contributor

Created on ‎02-02-2015 04:15 AM 

config vpn ssl web portal
edit "full-access"
set allow-access web ssh ping portforward
set theme gray
set page-layout double-column
config widget
edit 8
set name "Connection Tool"
set type tool
set column two
set allow-apps web ssh ping portforward
next
edit 4
set name "Corporate services"
set allow-apps web ssh portforward
config bookmarks
edit "Corporate portal"
set description "Corporate portal"
set url "http://192.168.0.X"
next
edit "Corporate mail"
set description "Corporate mail"
set url "https://192.168.19.X"
next
end
next
edit 5
set name "Tunnel Mode"
set type tunnel
set column two
set ipv6-split-tunneling disable
set ip-pools "ssl-vpn-co2-r"
next
edit 6
set name "Session Information"
set type info
next
edit 7
set name "FortiClient Download"
set type forticlient-download
set column two
next
end
next

 

diagnose sniffer packet any "dst host 192.168.19.X" 4
interfaces=[any]
filters=[dst host 192.168.19.X]
2.991760 co2-bk-m-1 out WAN1_IP -> 192.168.19.X: icmp: echo request

5278
0 Kudos
turovskiy
New Contributor
In response to turovskiy

Created on ‎02-02-2015 06:30 AM

I am use metod #2

CO2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S* 0.0.0.0/0 [30/0] via X.X.X.X, wan1, [25/0]
                  [30/0] via X.X.X.X, GT-Internet, [30/0]
S 10.2.2.0/24 [10/0] is directly connected, co2-bk-m-1, [10/0]
C 10.10.0.0/21 is directly connected, lan
S 10.11.0.0/21 [10/0] via 10.10.7.254, lan
S 10.12.0.0/21 [10/0] via 10.10.7.254, lan
S 10.20.11.0/24 [10/0] is directly connected, co2-vl-m1
S 10.80.1.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 10.80.2.0/24 [10/0] is directly connected, co2-vl-m1, [10/0]
C 46.164.137.64/29 is directly connected, wan1
C 85.223.232.152/29 is directly connected, GT-Internet
S 192.168.0.0/23 [10/0] via 10.10.7.254, lan
S 192.168.3.0/24 [10/0] is directly connected, co2-kf-m-1, [5/0]
                       [10/0] is directly connected, co2-kf-b-1, [10/0]
S 192.168.5.0/24 [10/0] is directly connected, co2-kfs-m-1, [5/0]
                       [10/0] is directly connected, co2-kfs-b-1, [10/0]
S 192.168.6.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 192.168.7.0/24 [10/0] is directly connected, co2-sdf-m-1, [10/0]
S 192.168.11.0/24 [10/0] is directly connected, co2-lviv-m-1, [5/0]
                        [10/0] is directly connected, co2-lviv-b-1, [10/0]
S 192.168.14.0/24 [10/0] is directly connected, co2-kho-m-1, [5/0]
                        [10/0] is directly connected, co2-kho-b-1, [10/0]
S 192.168.15.0/24 [10/0] is directly connected, co2-kh-m-1, [5/0]
                        [10/0] is directly connected, co2-kh-b-1, [10/0]
S 192.168.17.0/24 [10/0] is directly connected, co2-lit-b-1, [10/0]
                        [10/0] is directly connected, co2-lit-m-1, [15/0]
S 192.168.18.0/23 [10/0] is directly connected, co2-bk-m-1, [10/0]
S 192.168.20.0/24 [10/0] is directly connected, co2-kff-m-1, [5/0]
                        [10/0] is directly connected, co2-kff-bb-1, [10/0]
S 192.168.21.0/24 [10/0] is directly connected, co2-kfa-m-1, [5/0]
                        [10/0] is directly connected, co2-kfa-bb-1, [10/0]
S 192.168.23.0/24 [10/0] is directly connected, co2-msk-m-1, [5/0]
                        [10/0] is directly connected, co2-msk-b-1, [10/0]
S 192.168.24.0/24 [10/0] is directly connected, co2-msks-m-1, [5/0]
                        [10/0] is directly connected, co2-msks-bb-1, [10/0]
S 192.168.31.0/24 [10/0] is directly connected, co2-bk-m-1, [10/0]
S 192.168.33.0/24 [10/0] is directly connected, co2-bel-m-1, [5/0]
                        [10/0] is directly connected, co2-bel-bb-1, [10/0]
S 192.168.42.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 192.168.44.0/24 [10/0] is directly connected, co2-sdf-m-1, [5/0]
S 192.168.45.0/24 [10/0] is directly connected, co2-lit-b-1, [5/0]
S 192.168.46.0/24 [10/0] is directly connected, co2-kf-m-1, [5/0]
S 192.168.47.0/24 [10/0] is directly connected, co2-bel-m-1, [5/0]
S 192.168.48.0/24 [10/0] is directly connected, co2-msk-m-1, [5/0]
S 192.168.49.0/24 [10/0] is directly connected, co2-kff-m-1, [5/0]
S 192.168.50.0/24 [10/0] is directly connected, co2-kho-m-1, [5/0]
S 192.168.51.0/24 [10/0] is directly connected, co2-laack-m-1, [5/0]
                        [10/0] is directly connected, co2-laack-bb-1, [10/0]
S 192.168.52.0/24 [10/0] is directly connected, co2-sh-m-1, [5/0]
                        [10/0] is directly connected, co2-sh-bb-1, [10/0]
S 192.168.53.0/24 [10/0] is directly connected, co2-gb-m-1, [5/0]
                        [10/0] is directly connected, co2-gb-bb-1, [10/0]
S 192.168.54.0/24 [10/0] is directly connected, co2-jac-m-1, [5/0]
                        [10/0] is directly connected, co2-jac-bb-1, [10/0]
S 192.168.56.0/24 [10/0] is directly connected, co2-bos-bb-1, [10/0]
S 192.168.57.0/24 [10/0] is directly connected, co2-xo-m-1, [5/0]
                        [10/0] is directly connected, co2-xo-bb-1, [10/0]
S 192.168.59.0/24 [10/0] is directly connected, co2-vl-m1, [10/0]
C 192.168.60.0/24 is directly connected, wi-fi-bio-guest
S 192.168.70.0/24 [20/0] is directly connected, co2_h_m2, [10/0]
                        [20/0] is directly connected, co2_h_m1, [20/0]
S 192.168.200.0/24 [10/0] via 10.10.7.254, lan, [10/0]
S 192.168.230.0/24 [10/0] via 192.168.230.53, GT-L2
C 192.168.230.52/30 is directly connected, GT-L2

5278
0 Kudos
turovskiy
New Contributor
In response to turovskiy

Created on ‎02-02-2015 06:56 AM

Hello!

 

        set srcintf "wan1"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "pridn-net-g" "co2-net-g" "co-net"
        set action ssl-vpn
        set global-label "SSL VPN"
        set identity-based enable
            config identity-based-policy
                edit 2
                    set schedule "always"
                    set logtraffic disable
                    set groups "vpn-users"
                    set service "ALL"
                    set sslvpn-portal "full-access"
                next
            end

5278
0 Kudos
turovskiy
New Contributor
In response to turovskiy

Created on ‎02-02-2015 07:08 AM

I am use Connection Tool Web Portal and PING 192.168.19.254

 

the result

# diagnose sniffer packet any "dst host 192.168.19.254 " 4

interfaces=[any] filters=[dst host 192.168.19.254 ] 4.147289 co2-bk-m-1 out IP_WAN1 -> 192.168.19.254: icmp: echo request

 

Using the current policy packets are forwarded to the appropriate interface, but SOURCE-IP incorrect (IP-WAN1)

5278
0 Kudos
turovskiy
New Contributor
In response to turovskiy

Created on ‎02-02-2015 07:15 AM

The situation has not changed

5278
0 Kudos
mmishra_FTNT
Staff
Staff

Created on ‎02-02-2015 06:22 AM

Hello,

Which method you are using to ping the destination

1>Click on connect after logging in to the SSL portal and downloading Forticlient from browser?

2>Or using connection tool from SSL portal after logging in?

It should be latter as you have mentioned web mode but just to sure.

Also could you share output of command:

get router info routing-table all

5278
0 Kudos
mmishra_FTNT
Staff
Staff

Created on ‎02-02-2015 06:50 AM

Hello,

Routing appears to be in place this is the route which should be used:

S 192.168.18.0/23 [10/0] is directly connected, co2-bk-m-1, [10/0]

 Regardless of distance and priority for default route as this is more specific route could you please share firewall policies created with action SSL-VPN

5278
0 Kudos
Iescudero
Contributor II

Created on ‎02-02-2015 06:53 AM

Hi Everyone!

just for check, maybe are a router policy applied??

5278
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.