Hot!SSL-vpn -> LAN -> ipsec

Author
zlimmen
Bronze Member
  • Total Posts : 43
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/02/25 04:27:08
  • Status: offline
2018/05/15 23:31:16 (permalink)
0

SSL-vpn -> LAN -> ipsec

Hi,
so I have a customer that wants me to set up ssl-vpn so he can access the company LAN and he also wants access to a RDP on a ipsec connection.
 
the ssl-vpn part is no problem, but the part that he wants to use rdp against the ipsec connection, the connection against the ipsec has be from the company LAN.
 
is VIP the way to go? if yes, please give me an example.
 
Thanx in advance :)
#1

4 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL-vpn -> LAN -> ipsec 2018/05/16 08:49:47 (permalink)
    0
    On SSL VPN side, if it's split-tunnel, you need to add RDP destination address or subnet to come though the SSL VPN tunnel.
    On IPSec side, you need to add SSL VPN's subnet to IPSec tunnel to pass-through on both local and remote sides, just like adding a new LAN subnet for the IPSec.
    #2
    zlimmen
    Bronze Member
    • Total Posts : 43
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/02/25 04:27:08
    • Status: offline
    Re: SSL-vpn -> LAN -> ipsec 2018/06/01 05:17:26 (permalink)
    0
    wow, I forgot about this post, sorry.
     
    the problem is that I do not have access to the ipsec on the other side, so the question is how to NAT ssl vpn trough the LAN to ipsec, so that the otherside thinks is is comming from company LAN.
     
    hopefully you understand my problem.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2031
    • Scores: 186
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL-vpn -> LAN -> ipsec 2018/06/01 08:32:39 (permalink)
    0
    Then, reserve/exclude an IP from LAN DHCP (in case DHCP) and create an ippool like below and use it in a separate policy from ssl.root to IPSec interface.
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-transparent-54/3-Networking/2-NAT/2-SNAT.htm
     
    #4
    hawada
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/12/07 08:46:41
    • Status: offline
    Re: SSL-vpn -> LAN -> ipsec 2020/03/20 03:20:12 (permalink)
    0
    Hello,
     
    I know that this is any old post, but there are 2 solutions for this scenario:
    The first works as Toshi Esumi suggested.
     
    The second solution is:
    1- On SSL VPN side, if it's split-tunnel, you need to add RDP destination address or subnet to pass through the SSL VPN tunnel.
    2- IPsec tunnel should be up and running between LAN subnet and destination subnet.
    3- Configure an SSL policy where Source is "SSL root interface", and Destination the "IPsec interface". Then enable NAT and create an IPPool using a free IP address from the LAN subnet. All incoming traffic coming through SSL VPN interface trying to reach the destination subnet will be NATed by the IPPool.
     
    Regards,
     
    #5
    Jump to:
    © 2020 APG vNext Commercial Version 5.5