Change IP that SSL VPN service listens on

Michael_Boskovic · ‎07-25-2014

Is it possible to change the IP that the SSL VPN service responds to requests on? For example, I have a /28 block of IP' s from my ISP and I want the WAN interface to be .2 and the SSL VPN login page to be .3

Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA

ede_pfau · ‎07-27-2014

hi, and welcome to the forums! There is no setting for specifying the IP directly. Instead, you could try to use a VIP with port mapping: Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: say, 20443 mapped to : your primary WAN IP mapped to port: 10443 (default for SSL VPN) Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: custom service for tcp/20443 schedule: ... action: accept NAT: no Give it a try and let us know how it works.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

mark14 · ‎01-30-2019

Summarizing for this moment there is one solution?

ede_pfau wrote:
hi, and welcome to the forums! There is no setting for specifying the IP directly. Instead, you could try to use a VIP with port mapping: Firewall objects > Virtual IP > Create new external IP: one of your WAN IPs external port: say, 20443 mapped to : your primary WAN IP mapped to port: 10443 (default for SSL VPN) Then, create a policy: src IF: WAN src IP: all dst IF: WAN dst IP: your VIP service: custom service for tcp/20443 schedule: ... action: accept NAT: no Give it a try and let us know how it works.

Michael_Boskovic · ‎07-28-2014

Thanks for the reply! I tried the fix you recommended and everything seemed to work. Not the ideal solution I was hoping for, but serves as a valid alternative. Thanks for the help!

Michael Boskovic CCIE, CCDP, CCNP, CCNA, FCNSP, FCNSA

ede_pfau · ‎07-28-2014

Using a VIP for an additional public IP address is perfectly valid. The FGT will even respond to ARP requests for it just as if it was a " physical" address. Furthermore, the mapped-to address is " masked" , that is for incoming traffic the destination is NATted and for return traffic the source IP is NATted. Glad that it works for you now. Enjoy!

Ede

"Kernel panic: Aiee, killing interrupt handler!"

FatalHalt · ‎08-07-2014

I' m actually looking to do this same thing right now. Doing the VIP should work great for my purposes, however by doing that, wouldn' t the ' normal settings' of https//primarywan:10443 still serve to access the VPN? What I' d like to do is change the IP, using a VIP in this case is fine, but then not allow the normal settings to work. Am I thinking about this right?

ede_pfau · ‎08-08-2014

Right, a VIP opens just another IP+port access. You could block access to the original IP+port via a Local In policy I guess.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

FatalHalt · ‎08-08-2014

Just played around with this, and the local deny policy worked great. A VIP worked, but I also tried using a secondary wan1 IP, which worked as well, not sure which one I like more though.

ede_pfau · ‎08-08-2014

I' d go with a VIP anytime. First, it' s much more visible, and secondly, you can narrow it down to just 1 port. But it' s your choice...

Ede

"Kernel panic: Aiee, killing interrupt handler!"

lobstercreed · ‎05-20-2020

Super old thread, I know, but it was referenced in a more recent post and I wanted to make sure y'all knew that you can actually set up a loopback interface to accomplish this.

[ul]

Create a loopback with some private IP address and then set the SSL-VPN to listen only on the loopback interface.

Then create the VIP to point to the private IP on the loopback.

Lastly create a policy from your WAN to your loopback for HTTPS.[/ul]

Boom, you have what you did here but without it listening on your actual public interface. I did this years ago myself actually to solve the problem of having more than one ISP but wanting a consistent VPN address (using BGP peering for my ISPs).