FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jkoay
Staff
Staff
Article Id 189886

Description

 

This article describes how to configure SSL VPN with overlapping subnets.

There will be connectivity issues when the remote network subnet (192.168.0.0/24) (for example, the home Wifi network) clashes with the local network subnet connected to FortiGate (192.168.0.0/24) which needs to be accessed by an SSL VPN user.

 

Scope

 

FortiGate.

 

Solution

 

To resolve the subnet overlapping issue, follow the steps below:

 

  1. Create a virtual IP object to map Virtual_Subnet to the Internal LAN subnet. Go to Policy & Object -> Virtual IPs, and select Create New -> Virtual IP.

 

Name: SSLVPN_VIP

Interface: any
Type: Static NAT
External IP Address/Range: 172.16.0.1 - 172.16.0.254
Mapped IP Address/Range: 192.168.0.1 - 192.168.0.254

 

image.png

 

  1. The separated user group, SSL VPN portal, and SSL VPN policy are created to avoid the change impacting all the other SSL VPN users. Move the SSL VPN user to the new user group which has the private network overlapped with the local private network.

1.png

 

  1. Create the SSL VPN portal for the users with overlapping:

2.png

 

  1. Add Authentication/Portal Mapping:

3.png

 

  1. Create a firewall policy for SSL VPN users to access the virtual subnet (Policy & Objects -> IPv4 Policy and select 'Create New').

Name: SSLVPN-to-Internal

Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: SSLVPN_VIP
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable

 

Select 'OK' to save and move this policy to the top.

 

image.png

 

  1. Test by connecting an endpoint to SSL VPN and make a test attempt to reach a host in the internal network (for example, 192.168.0.2) by performing a ping to 172.16.0.2.

 

image.png

 

For setup with Central SNAT enabled: Follow step 1 for the VIP setup, but for the firewall policy configuration, configure the following:

 

Name: SSLVPN-to-Internal

Incoming Interface: ssl.root
Outgoing Interface: port3 (internal port)
Source: all
Destination: Server_Real_Subnet (i.e. 192.168.0.0/24)
Schedule: always
Service: ALL
Action: ACCEPT
NAT: Disable


image.png

Follow step 3 for the testing process.