Hellow all!
I need help.
I have fortigate 100D firmware v5.0,build4429
Use two ISP for WAN1 and WAN2
On WAN1 Enable Web Mode
I can not access to my intermal sub-network.
Use the debug command
diagnose sniffer packet any "dst host Internal_server_ip"
I noticed that the packet outgoing ip is IP_WAN1
I think that they should have ip IP_INTERNAL_INTERFACE
Thank you for help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
turovskiy wrote:I think that they should have ip IP_INTERNAL_INTERFACE
This is not complety right. If this was true you would get a round robin effect. This is something you don't want. The incoming interface will always be the outgoing interface.
Did you enter your portal settings right? And did you make policy's for the SSL VPN subnet to the "Internal subnet"
config vpn ssl web portal
edit "full-access"
set allow-access web ssh ping portforward
set theme gray
set page-layout double-column
config widget
edit 8
set name "Connection Tool"
set type tool
set column two
set allow-apps web ssh ping portforward
next
edit 4
set name "Corporate services"
set allow-apps web ssh portforward
config bookmarks
edit "Corporate portal"
set description "Corporate portal"
set url "http://192.168.0.X"
next
edit "Corporate mail"
set description "Corporate mail"
set url "https://192.168.19.X"
next
end
next
edit 5
set name "Tunnel Mode"
set type tunnel
set column two
set ipv6-split-tunneling disable
set ip-pools "ssl-vpn-co2-r"
next
edit 6
set name "Session Information"
set type info
next
edit 7
set name "FortiClient Download"
set type forticlient-download
set column two
next
end
next
diagnose sniffer packet any "dst host 192.168.19.X" 4
interfaces=[any]
filters=[dst host 192.168.19.X]
2.991760 co2-bk-m-1 out WAN1_IP -> 192.168.19.X: icmp: echo request
I am use metod #2
CO2 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [30/0] via X.X.X.X, wan1, [25/0]
[30/0] via X.X.X.X, GT-Internet, [30/0]
S 10.2.2.0/24 [10/0] is directly connected, co2-bk-m-1, [10/0]
C 10.10.0.0/21 is directly connected, lan
S 10.11.0.0/21 [10/0] via 10.10.7.254, lan
S 10.12.0.0/21 [10/0] via 10.10.7.254, lan
S 10.20.11.0/24 [10/0] is directly connected, co2-vl-m1
S 10.80.1.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 10.80.2.0/24 [10/0] is directly connected, co2-vl-m1, [10/0]
C 46.164.137.64/29 is directly connected, wan1
C 85.223.232.152/29 is directly connected, GT-Internet
S 192.168.0.0/23 [10/0] via 10.10.7.254, lan
S 192.168.3.0/24 [10/0] is directly connected, co2-kf-m-1, [5/0]
[10/0] is directly connected, co2-kf-b-1, [10/0]
S 192.168.5.0/24 [10/0] is directly connected, co2-kfs-m-1, [5/0]
[10/0] is directly connected, co2-kfs-b-1, [10/0]
S 192.168.6.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 192.168.7.0/24 [10/0] is directly connected, co2-sdf-m-1, [10/0]
S 192.168.11.0/24 [10/0] is directly connected, co2-lviv-m-1, [5/0]
[10/0] is directly connected, co2-lviv-b-1, [10/0]
S 192.168.14.0/24 [10/0] is directly connected, co2-kho-m-1, [5/0]
[10/0] is directly connected, co2-kho-b-1, [10/0]
S 192.168.15.0/24 [10/0] is directly connected, co2-kh-m-1, [5/0]
[10/0] is directly connected, co2-kh-b-1, [10/0]
S 192.168.17.0/24 [10/0] is directly connected, co2-lit-b-1, [10/0]
[10/0] is directly connected, co2-lit-m-1, [15/0]
S 192.168.18.0/23 [10/0] is directly connected, co2-bk-m-1, [10/0]
S 192.168.20.0/24 [10/0] is directly connected, co2-kff-m-1, [5/0]
[10/0] is directly connected, co2-kff-bb-1, [10/0]
S 192.168.21.0/24 [10/0] is directly connected, co2-kfa-m-1, [5/0]
[10/0] is directly connected, co2-kfa-bb-1, [10/0]
S 192.168.23.0/24 [10/0] is directly connected, co2-msk-m-1, [5/0]
[10/0] is directly connected, co2-msk-b-1, [10/0]
S 192.168.24.0/24 [10/0] is directly connected, co2-msks-m-1, [5/0]
[10/0] is directly connected, co2-msks-bb-1, [10/0]
S 192.168.31.0/24 [10/0] is directly connected, co2-bk-m-1, [10/0]
S 192.168.33.0/24 [10/0] is directly connected, co2-bel-m-1, [5/0]
[10/0] is directly connected, co2-bel-bb-1, [10/0]
S 192.168.42.0/24 [10/0] is directly connected, co2_vk_m1, [10/0]
S 192.168.44.0/24 [10/0] is directly connected, co2-sdf-m-1, [5/0]
S 192.168.45.0/24 [10/0] is directly connected, co2-lit-b-1, [5/0]
S 192.168.46.0/24 [10/0] is directly connected, co2-kf-m-1, [5/0]
S 192.168.47.0/24 [10/0] is directly connected, co2-bel-m-1, [5/0]
S 192.168.48.0/24 [10/0] is directly connected, co2-msk-m-1, [5/0]
S 192.168.49.0/24 [10/0] is directly connected, co2-kff-m-1, [5/0]
S 192.168.50.0/24 [10/0] is directly connected, co2-kho-m-1, [5/0]
S 192.168.51.0/24 [10/0] is directly connected, co2-laack-m-1, [5/0]
[10/0] is directly connected, co2-laack-bb-1, [10/0]
S 192.168.52.0/24 [10/0] is directly connected, co2-sh-m-1, [5/0]
[10/0] is directly connected, co2-sh-bb-1, [10/0]
S 192.168.53.0/24 [10/0] is directly connected, co2-gb-m-1, [5/0]
[10/0] is directly connected, co2-gb-bb-1, [10/0]
S 192.168.54.0/24 [10/0] is directly connected, co2-jac-m-1, [5/0]
[10/0] is directly connected, co2-jac-bb-1, [10/0]
S 192.168.56.0/24 [10/0] is directly connected, co2-bos-bb-1, [10/0]
S 192.168.57.0/24 [10/0] is directly connected, co2-xo-m-1, [5/0]
[10/0] is directly connected, co2-xo-bb-1, [10/0]
S 192.168.59.0/24 [10/0] is directly connected, co2-vl-m1, [10/0]
C 192.168.60.0/24 is directly connected, wi-fi-bio-guest
S 192.168.70.0/24 [20/0] is directly connected, co2_h_m2, [10/0]
[20/0] is directly connected, co2_h_m1, [20/0]
S 192.168.200.0/24 [10/0] via 10.10.7.254, lan, [10/0]
S 192.168.230.0/24 [10/0] via 192.168.230.53, GT-L2
C 192.168.230.52/30 is directly connected, GT-L2
Hello!
set srcintf "wan1"
set dstintf "any"
set srcaddr "all"
set dstaddr "pridn-net-g" "co2-net-g" "co-net"
set action ssl-vpn
set global-label "SSL VPN"
set identity-based enable
config identity-based-policy
edit 2
set schedule "always"
set logtraffic disable
set groups "vpn-users"
set service "ALL"
set sslvpn-portal "full-access"
next
end
I am use Connection Tool Web Portal and PING 192.168.19.254
the result
# diagnose sniffer packet any "dst host 192.168.19.254 " 4
interfaces=[any] filters=[dst host 192.168.19.254 ] 4.147289 co2-bk-m-1 out IP_WAN1 -> 192.168.19.254: icmp: echo request
Using the current policy packets are forwarded to the appropriate interface, but SOURCE-IP incorrect (IP-WAN1)
The situation has not changed
Hello,
Which method you are using to ping the destination
1>Click on connect after logging in to the SSL portal and downloading Forticlient from browser?
2>Or using connection tool from SSL portal after logging in?
It should be latter as you have mentioned web mode but just to sure.
Also could you share output of command:
get router info routing-table all
Hello,
Routing appears to be in place this is the route which should be used:
S 192.168.18.0/23 [10/0] is directly connected, co2-bk-m-1, [10/0]
Regardless of distance and priority for default route as this is more specific route could you please share firewall policies created with action SSL-VPN
Hi Everyone!
just for check, maybe are a router policy applied??
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.