Hot!Change IP that SSL VPN service listens on

Author
Michael Boskovic
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/25 07:58:17
  • Status: offline
2014/07/25 08:02:34 (permalink)
0

Change IP that SSL VPN service listens on

Is it possible to change the IP that the SSL VPN service responds to requests on?
For example, I have a /28 block of IP' s from my ISP and I want the WAN interface to be .2 and the SSL VPN login page to be .3

#1

8 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/07/27 05:24:17 (permalink)
    5 (1)
    hi,

    and welcome to the forums!

    There is no setting for specifying the IP directly.
    Instead, you could try to use a VIP with port mapping:
    Firewall objects > Virtual IP > Create new
    external IP: one of your WAN IPs
    external port: say, 20443
    mapped to : your primary WAN IP
    mapped to port: 10443 (default for SSL VPN)

    Then, create a policy:
    src IF: WAN
    src IP: all
    dst IF: WAN
    dst IP: your VIP
    service: custom service for tcp/20443
    schedule: ...
    action: accept
    NAT: no

    Give it a try and let us know how it works.
    < Message edited by ede_pfau -- 7/27/2014 5:24:54 AM >

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Michael Boskovic
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/25 07:58:17
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/07/28 08:19:23 (permalink)
    0
    Thanks for the reply!

    I tried the fix you recommended and everything seemed to work. Not the ideal solution I was hoping for, but serves as a valid alternative.

    Thanks for the help!
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/07/28 09:30:30 (permalink)
    0
    Using a VIP for an additional public IP address is perfectly valid. The FGT will even respond to ARP requests for it just as if it was a " physical" address. Furthermore, the mapped-to address is " masked" , that is for incoming traffic the destination is NATted and for return traffic the source IP is NATted.

    Glad that it works for you now. Enjoy!

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    FatalHalt
    Gold Member
    • Total Posts : 124
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/06/11 08:51:54
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/08/07 17:53:18 (permalink)
    0
    I' m actually looking to do this same thing right now.

    Doing the VIP should work great for my purposes, however by doing that, wouldn' t the ' normal settings' of https//primarywan:10443 still serve to access the VPN?

    What I' d like to do is change the IP, using a VIP in this case is fine, but then not allow the normal settings to work.

    Am I thinking about this right?
    < Message edited by FatalHalt -- 8/7/2014 5:53:35 PM >
    #5
    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/08/08 02:18:14 (permalink)
    0
    Right, a VIP opens just another IP+port access. You could block access to the original IP+port via a Local In policy I guess.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #6
    FatalHalt
    Gold Member
    • Total Posts : 124
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/06/11 08:51:54
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/08/08 08:13:53 (permalink)
    0
    Just played around with this, and the local deny policy worked great.

    A VIP worked, but I also tried using a secondary wan1 IP, which worked as well, not sure which one I like more though.
    #7
    ede_pfau
    Expert Member
    • Total Posts : 6267
    • Scores: 526
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: Change IP that SSL VPN service listens on 2014/08/08 09:57:34 (permalink)
    0
    I' d go with a VIP anytime. First, it' s much more visible, and secondly, you can narrow it down to just 1 port. But it' s your choice...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #8
    lobstercreed
    Gold Member
    • Total Posts : 192
    • Scores: 23
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: RE: Change IP that SSL VPN service listens on 2020/05/20 15:13:45 (permalink)
    0
    Super old thread, I know, but it was referenced in a more recent post and I wanted to make sure y'all knew that you can actually set up a loopback interface to accomplish this. 
     
    • Create a loopback with some private IP address and then set the SSL-VPN to listen only on the loopback interface.
    • Then create the VIP to point to the private IP on the loopback.
    • Lastly create a policy from your WAN to your loopback for HTTPS.
    Boom, you have what you did here but without it listening on your actual public interface.  I did this years ago myself actually to solve the problem of having more than one ISP but wanting a consistent VPN address (using BGP peering for my ISPs).
    #9
    Jump to:
    © 2020 APG vNext Commercial Version 5.5