- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Accessing SSL VPN addresses from a virtual IP....
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accessing SSL VPN addresses from a virtual IP. Virtual IP Translation - Subnet overlapping
Hi everyone, i hope i can be as clear as possible. I've been trying to copy this setting from an old firewall for the past few hours and i can't make it.
One of my customers has a classic home subnet 192.168.1.0/24. (the mother of all broubles)
They have a lot of SSLVPN users that must access this network.
This creates a lot of overlapping since 192.168.1.0 is a very common subnet.
On the old Firewall (Fortinet 40F) there was a setting that allowed a SSLVPN user to reach all addresses in the 192.168.1.0/24 subnet by using another subnet 172.16.0.0/24.
All IP addresses would then be automatically forwarded to the corresponding server IP in subnet 192.168.1.0: Example: if I ping 172.16.0.19 i would actually ping 192.168.1.19 but it would also work if i pinged 192.168.1.19.
This was made to avoid ip conflicts in case your home subnet is the same as the company, allowing you to still reach the remote servers using a subnet that is usually not present in home connections.
I know it has something to do with virtual IPs and SSLVPN Portal but all my attempts are in vain.
Any help / alternative to avoid this subnet overlapping with SSLVPN?
Solved! Go to Solution.
Labels:
- Labels:
-
SSL-VPN
-
Virtual IP
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Palova ,
Maybe you are looking to create a VIP object to map the overlapping subnet.
Can you test like this:
1-Create a VIP to map 172.16.1.19 to 192.168.1.0/24 subnet
2-Create a firewall policy with source IP range the VPN pool and destination the VIP object created above
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/155333/virtual-ips-with-port...
.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Palova ,
Maybe you are looking to create a VIP object to map the overlapping subnet.
Can you test like this:
1-Create a VIP to map 172.16.1.19 to 192.168.1.0/24 subnet
2-Create a firewall policy with source IP range the VPN pool and destination the VIP object created above
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/155333/virtual-ips-with-port...
.
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok so i initially thought it should be done, as stated in this guide https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-with-overlapping-subnets/ta-...
I tried it but it does not seem to work.
I created VIP group, i created separate sslvpn portal, i created firewall rule and put it on top of the other SSLVPN rules, no success.
Am i missing something?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have done the configuration the same as in the mentioned article it should work.
SSL VPN with overlapping subnets - Fortinet Community
Maybe the traffic did not match the correct policy for it to work?
Run the following command to understand which policy is the traffic hitting :
diag debug reset
diag debug flow filter addr 192.168.103.83 <<< replace with the IP of the PC
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug enable
diag debug flow trace start 1000
Test again an check the output for matched policy-..
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this on a fresh firewall and everything worked after some troubleshooting and making sure everything was set the way it should. So the solution in this article https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-with-overlapping-subnets/ta-... and your help and tips solved the issue, now i will proceed on the customer's device, hoping not to blow anything up :). THANK YOU.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am happy i was able to help. Good luck on the customer's production network :)
Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another idea:
If you enable exclusive-routing (full tunnel required!), FortiClient should forcefully push all traffic into the tunnel, including what would otherwise be traffic on the local subnet (excluding the local gateway IP, for obvious reasons).
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enabling-SSL-VPN-Full-Tunnel/ta-p/191848
Other options are DNAT with a VIP+policy (as already noted), or more specific individual routes pushed to clients (if doing split-routing), e.g. a handful of /32s for destinations that need to be reached through the tunnel (won't work if that IP conflicts with the end user's local IP or local gateway IP).
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for all the support, but there are about 100 total vpn users and a full /24 subnet of servers/clients to connect to, full tunneling could be crippling for the user, and making special rules and exceptions for everyone will have effects on my mental health. :\ As soon as i can i'm taking an old 60E that has the same firmware and make some tests in a clean environment, instead of doing things on the production device. (i already got a few calls for interruptions in VPN). In theory what i did should make sense, but it does not work yet, so to make deeper modifications i must use a test environment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like VIP is your only option remaining then.
Including users needing to learn to use the new subnet for destination IPs (If they're using IPs directly to connect to. And if yes, perhaps it's time to introduce everyone to the wonders of DNS :) )
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's fine, i can just send an email with the new links to evryone, most of them are web interfaces and RDP connections so it will be easy. Plus this feature was present on the previous firewall so they probably already have them. DNS should work (even though in many cases you must manually make entries in the hosts file in windows) but we still use IP, it skips one step as well as a point of failure/troubleshooting.
Related Posts
- Management and internal 236 Views
- Accessing SSL VPN addresses from a... 426 Views
- Overlapping ip addresses over IPSec VPN 375 Views
- Fortigate in Azure vWAN 369 Views
- mgmt interface configuration 8157 Views
Labels
-
FortiGate
6,764 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.