- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL VPN with dynamic WAN-IP and static VIP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN with dynamic WAN-IP and static VIP
Hi there!
I'm trying to configure SSL VPN. My WAN-Interface is configured to DHCP (1.1.1.1) and I got a fixed virtual IP-Address (2.2.2.2) from my Provider as well. I configured SSL VPN to port 10443. DynDNS (x.fortiddns.com) works fine on the dynamic assigned address. SSL VPN works fine with x.fortiddns.com:10443.
But I want to use my fixed address (assigned to a subdomain of my webdomain and with an own certificate) to reach the SSL VPN at 2.2.2.2:10443 or sub.domain.com:10443. I thought about using a VIP for my fixed address but I can't map it to my WAN IP because of DHCP.
Has anyone an idea?
Thanks in advance!
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
Use the wildcard IP 0.0.0.0 in the VIP definition. That will use any WAN IP address. Make sure you enable port mapping or the entire space will go to that one VIP mapping.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply!
The idea sounds good, but I can't get it up.
I used the designated IP for "External IP" and the wildcard for "Mapped IP" and set the Port Forwarding "External" an "Map to Port" to the designated port: Error "Input value is invalid."
Also tried the wildcard for "External IP" and for "Mapped IP", same result :(
BTW: There are already two VIPs configured to IP-Adresses in the DMZ, the work pretty good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wait you used the wildcard for mapped IP? The wildcard should be used in the external ip field, and it's just a value which translates to: Insert my current WAN IP here.
Can you give us an example of the VIP you are trying to configure, and the IP addresses of the internal server? (mask the ip addresses accordingly so you don't give out sensitive information).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I understand, you want to use 2.2.2.2 to be forwarded to your internal server.
If you configure a VIP with 2.2.2.2 as external, 192.168.x.y (substitute your server's private internal address) as 'mapped to', NO port forwarding, can you a) create this VIP, and if so, b) can you ping the server?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My WAN-Connection runs over a cable modem with a dynamic IP adress from my provider (80.110.x.x). Additionally my provider supports me with 4 static IP adresses, one of them (212.186.x.1, 212.186.x.2, 212.186.x.3, 212.186.x.4) I want to use for my SSL VPN.
I configured the SSL VPN and it works fine with https:// 80.110.x.x and also over xxxx.fortiddns.com. There is also a webserver (10.1.1.1) in the DMZ behind the FG. One of the static adresses is forwarded with VIP: Interface: WAN, External IP: 212.186.x.1, Internal IP: 10.1.1.1, no filters, no special port forwarding. Allows traffic is defined with incoming and outgoing policies. Until now everthing works perfect!
But know I want to use one of remaining static IP adresses (212.186.x.2) for the for the SSL VPN. So the SSL VPN Portal should listen to 212.186.x.2:10443
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
DYDNS will make help you.
First, configure a DYDNS on FortiGate and it will update automatically when IP will change from ISP site.
Second, Create a Subdomain on your DNS (Public) DNS server and give the DYDNS name instant of IP address of subdomain.
Third, A single certificate must have both DNS name to verify 1. Subdomain and 2. DYDNS name.
Regards,
Deepak Kumar
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for my late answer, the project was postponed by the customer.
I want to use one of my virtual IP-address for SSL-VPN, so the VPN portal has to listen to the virtual IP address.
So how can I configure the FG WAN-Interface (basicly configured to DHCP) to listen additionally to a virtual IP?
Actually my CA doesn't support two domain names for one certificate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The virtual IP address changes as you have stated. The ways to do this are:
1) Change the outside IP address on the VIP definition each time the dynamic address changes (waste of bandwidth...), or
2) Use the wildcard 0.0.0.0 on the outside VIP interface definition
Also, if you are using DynDNS (or something similar), then the cert should be good because it uses a domain name and the outside IP will resolve to the name, just a single port for the SSL VPN connection.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- SD-WAN IPSec Main Backup tunnels with... 17 Views
- FortiOS 7.2.4 IPSec split-tunnel breaks local... 251 Views
- How to create custom ips signature... 247 Views
- Dual ISP Failover with Azure VPN... 164 Views
- IkeV2 IPSEC-crash during HA failover after... 277 Views
Labels
-
FortiGate
6,508 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
72 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.