Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vickey
New Contributor

Lan useres to access SSL VPN client PC

hi,

 

I have a Fortigate 100D, due to current COVID situation, I have come across a requirement where some developers are testing some Code & Services. 

 

They are using SSL VPN dialin to access my Office LAN but hey are deploying some Code/Service which requires to connect back to their Laptop from that Server in the LAN, I tried creating Rules but nothing worked.

 

SSL VPN >> LAN SERVER >> SSL VPN

 

Is there any Rule/Setting which can allow LAN systems to access any Client connected via SSL VPN

Thanks in advance.

 

5 REPLIES 5
lobstercreed
Valued Contributor

I've had to build this for telephony (softphone) requirements, so I am familiar with this concept.  You might be thinking of the rules wrong.  You can't think of it as all one thing the way you wrote it out (SSL VPN >> LAN SERVER >> SSL VPN); you need to break that down into two parts.  Rules are based on SOURCE -> DEST, so you'd have a rule for SSL VPN >> LAN SERVER and then a rule that is the reverse of this: LAN SERVER >> SSL VPN

 

The limitation is that you won't be able to specify the user on the SSL VPN side for the destination.  You'll need to either decide that it doesn't matter if the LAN SERVER can talk to one SSL VPN user or all of them, or you'll need to do some work on the SSL VPN settings so that different users use different IP pools and only the ones you want the LAN SERVER to be able to connect to get the IPs that you use for the destination of the reverse rule above.

Vickey

Hi,

 

Thanks for reply.. That server is open to all Dialin Users as that is a Dev server.

 

Can you pls elaborate on how these rules are to be created.

 

Already there is a rule in Place to have full LAN access from SSL VPN side traffic.

 

Should I create a Rule

 

All traffic from SSL VPN to Server

All traffic from Server to VPN..

and remove the earlier created rules?

 

Thanks

 

Vickey
New Contributor

HI,

 

I would be really greatful if you could give some pointers to resolve this as we have deliverables and due to this limitations Developers are not able to Test their code.

 

Thanks

lobstercreed
Valued Contributor

Not sure if I can make it clearer, but I'll restate it using partly your latest reply:

 

Already there is a rule in Place to have full LAN access from SSL VPN side traffic.

 

You now need to create a 2nd rule that is the reverse of this rule (source and destination interfaces are flipped, as are the address objects).  Allow the server on the LAN to have full access to the SSL VPN traffic.

 

If this doesn't work, it's possible that there is a local firewall on their PCs that is causing the problem.  I'm not sure what ports the server is trying to connect to on their PCs?  This is a bit of an unusual requirement for an application as it does not seem to imitate real-world traffic, but perhaps they're running some element of the server on their PCs.

 

PM me if you need direct help, but it's really not particularly complicated unless you need to lock it down to only certain VPN users.

Haraldellingsen
New Contributor

Hi Vickey, just interested in hearing if you managed to sort it out? 

I myself is having trouble routing from my LAN to the VPN clients. I Added a reversed version of the policy that currently goes from SSL-VPN to LAN but I still cannot reach (ping) vpn clients from LAN network.

 

VPN  10.212.139.0/24

LAN 192.168.101.0/24

 

NAT is enabled on both policies in and out should 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors