FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jkoay
Staff
Staff

Description

There will be connectivity issues when remote network subnet (192.168.0.0/24) and local network subnet connected to FortiGate (192.168.0.0/24) which needs to be accessed by SSL VPN user clashes.

This article describes how to configure SSL VPN with overlapping subnets.

 

Solution
To overcome the subnet overlapping subnet issue, please follow the steps below:

1) Create a new address object (Policy & Objects -> Addresses, select 'Create New' -> Address) as a virtual subnet for SSL VPN users to reach.

Name: Virtual_Subnet
Type: Subnet
Subnet / IP Range: 172.16.0.0/24

Select 'OK' to save this address object
Address.png
2) Create a virtual IP object to map Virtual_Subnet to Internal LAN subnet. Go to Policy & Object -> Virtual IPs, select Create New -> Virtual IP.

Name: SSLVPN_VIP
Interface: internet facing interface WAN(port1)
Type: Static NAT
External IP Address/Range: 172.16.0.1 - 172.16.0.254
Mapped IP Address/Range: 192.168.0.1 - 192.168.0.254

sslvpn_vip.png

3) Create a firewall policy for SSL VPN users to access the virtual subnet (Policy & Objects -> IPv4 Policy and select 'Create New').

Name: SSLVPN_VirtualSubnet
Incoming Interface: ssl.root
Outgoing Interface: internet facing interface WAN(port1)
Source: all
Destination: Virtual_Subnet
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Enabled

Select 'OK' to save and move this policy to the top 

 

Policy1.png


4) Create a firewall policy for accessing virtual IP addresses (Policy & Objects -> IPv4 Policy and select 'Create New').

Name: SSLVPN to SSLVPN_VIP
Incoming Interface: Internet facing interface WAN(port1)
Outgoing Interface: Local LAN interface 192.168.0.0/24  (port4)
Source: all
Destination: SSLVPN_VIP
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Enabled

Select 'OK' to save and move this policy to the top 

 

Policy2.png

5) Test by connecting an endpoint to SSL VPN and test reaching a host in the internal network (eg. 192.168.0.3) by performing a ping to 172.168.0.3.

Contributors