Helpful ReplySSL VPN - PC connected via SSL VPN is not ping-able

Author
kuoman
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/31 09:35:53
  • Status: offline
2017/02/01 09:55:27 (permalink) 5.2
0

SSL VPN - PC connected via SSL VPN is not ping-able

When the PC is connected via SSL VPN, it gets an IP (ie. 192.168.1.101).  The PC can ping any devices on 192.168.1.0/24, however when I tried to ping to the PC (192.168.1.101).  it is not reachable.  Not sure if there is some additional setting that I need to config?
 
Remote PC (192.168.1.101)  <=> FortiGate FW <=> network elements (ie. 192.168.1.50)
 
PING from 192.168.1.101 to 192.168.1.50 works
PING from 192.168.1.50 to 192.168.1.101 is not working (unreachable)
#1
Alby23
Gold Member
  • Total Posts : 165
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/06/24 08:57:33
  • Status: offline
Re: SSL VPN - PC connected via SSL VPN is not ping-able 2017/02/01 13:26:20 (permalink) ☄ Helpfulby FirewallNoob 2019/11/13 11:42:02
5 (1)
Do you have configured a policy with Source Interface: your LAN and destination Interface: ssl.root?
#2
rwpatterson
Expert Member
  • Total Posts : 8427
  • Scores: 197
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: SSL VPN - PC connected via SSL VPN is not ping-able 2017/02/01 14:40:18 (permalink)
0
Never going to work. The source and destination are on the same subnet. The FGT creates a virtual interface to connect to the LAN. If you look at the VPN monitor you will see the real IP address as well as the address the firewall is handing out to connect in. You MAY be able to ping the ssl-root IP address. I have never tried it, but you will not be able to ping the native address in this situation. This is why I stress when you create your network, don't be lazy and change the subnet on the system to anything but the default. Changing it before everyone gets set up is far easier than after you have 100 devices on it and run into an issue. (case in point)

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#3
Alby23
Gold Member
  • Total Posts : 165
  • Scores: 11
  • Reward points: 0
  • Joined: 2016/06/24 08:57:33
  • Status: offline
Re: SSL VPN - PC connected via SSL VPN is not ping-able 2017/02/01 15:36:03 (permalink)
0
If the subnet is more specific that a /24 it could work  even if I think is a /24
 
If the problem is the subnet, neither the ssl --> lan should work but he reports that it's working so two are the scenarios:
 - he has applied nat to the incoming traffic
 - the subnet is more specific
 
If the LAN and the SSL are on the same subnet, anyway, this is not a great problem.
He can easily change the address range assigned to the SSL Clients. No big deal.
#4
kuoman
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/31 09:35:53
  • Status: offline
Re: SSL VPN - PC connected via SSL VPN is not ping-able 2017/02/01 19:03:54 (permalink)
0
hi rwpatterson and Alby23, thank you for your comments.  the SSL Clients and the Network elements are on different subnets.  But they are all private IPs.
 
SSL VPN Tunnel Address: 192.168.200.100 ~ 192.168.200.150
Network Element Addresses: 192.168.2.0/24
Under IPv4 policy, I do not have LAN as source and ssl.root as destination - I follow the SSL VPN configure on the document site (http://cookbook.fortinet.com/ssl-vpn-for-remote-users/), NAT is enabled, what if I disabled NAT, since the client is getting IP from the SSL VPN Tunnel IP ranges.  I'll try adding that policy tomorrow and try it out again.
 
Below is what I have on the IPv4 policy
 
[Source]                                                                                         [Destination]
ssl.root (sslvpn tunnel interface) <=> WAN interface
SSLVPN_Tunnel_Address(192.168.200.100 ~ 192.168.200.150)         all (0.0.0.0/0)
 
ssl.root (sslvpn tunnel interface) <=> LAN interface
SSLVPN_Tunnel_Address(192.168.200.100 ~ 192.168.200.150)         core (192.168.2.0/24)
 
post edited by kuoman - 2017/02/01 19:13:45
#5
cumafo
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/19 12:12:26
  • Status: offline
Re: SSL VPN - PC connected via SSL VPN is not ping-able 2018/06/19 13:07:09 (permalink)
0
did you ever succeed with this?
/C
#6
Jump to:
© 2020 APG vNext Commercial Version 5.5