Hot!SSL-VPN Public IP

Author
adamsf1
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/16 01:45:07
  • Status: offline
2019/09/16 01:58:23 (permalink)
0

SSL-VPN Public IP

Hi Guys,
 
I been looking at making this change for some time now but would like some advice on the best way to get this done.
I have looked through the forums and some CB but the best advice is that from an FG pro.
our public IP in the office is 196.x.x.x.
 
when our users dial-up to the SSL-VPN they able to access our office servers.
when they dial into the VPN the FG assigns them a local IP of 10.212.x.x. and their public IP does not change to the office IP.
I am looking for a way of giving the users the same IP as our office is this possible?
 
#1

14 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8417
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 05:49:57 (permalink)
    0
    Welcome to the forums.
     
    You need to be a bit more specific. The users IP address will never change. You need to tell us under which context you wish to have their address appearance changed.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #2
    adamsf1
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/16 01:45:07
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 07:24:55 (permalink)
    0
    So when user 1 connects to the ssl-vpn he still has his public IP wich is for eg. 105.12.x.x
    I am needing to set up the SSL-VPN so when user 1 connects, his IP would change to the office IP witch is 196.22.x.x
     
    Some of our servers are sitting in AWS and we find our selfs whitelisting IPs when these users are outside of the office.
     
    we have a RAS Setup on a windows server that works on [link=mailto:L@TP]L2TP[/link] but I am hoping to get rid of this server and making use of the FortiGate instead.
    I did disable split tunnelling as some forums recommend but after I disable split tunnelling I can only hit the local LAN.
     
     
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8417
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 07:38:56 (permalink)
    0
    You need to create a policy from SSL-VPN to the Internet with NAT enabled. If you do not include an IP pool, the default WAN address will be used, hopefully fulfilling your initial request. You will need also a static route to the SSL subnet with those addresses so that return traffic knows where to go. You may have already done that part.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 08:04:26 (permalink)
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8417
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 10:19:47 (permalink)
    0
    With split tunnel, the remote user gets to the Internet using his own IP address and ISP. What the OP posted is that he did not want to do that.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #6
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 11:26:26 (permalink)
    0
    Exactly, by default, split is enabled. what he wants is to "undo" the split, no?
    I wrote about split. to better understand the solution and identify if that is the issue.
    #7
    rwpatterson
    Expert Member
    • Total Posts : 8417
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 12:14:15 (permalink)
    0
    adamsf1I did disable split tunnelling as some forums recommend but after I disable split tunnelling I can only hit the local LAN.

    This is what I was referring to.
    post edited by rwpatterson - 2019/09/16 12:15:19

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #8
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/16 12:38:32 (permalink)
    0
    If the split has disabled. and still whith 105.12.x.x are two options.:
     
    Or split isn't disable.
    Or use a Proxy.
    #9
    adamsf1
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/16 01:45:07
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/17 01:09:41 (permalink)
    0
    thanks, jorge and rwpatterson for your help.
     
    so yesterday I disabled the split tunnelling again.
    I created a new policy that allows traffic out to the internet on wan2 instead of the internal policy set.
    some traffic did flow in - out and I could send and receive whatsapps on my web browser(so strange)
    but still can't load a page, still not getting the IP 196.x.x.x.
    I did an mtr and seems like I can only hit that 10.213.x.x. IP that the FG issues to the SSL VPN users.
    #10
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/17 04:30:56 (permalink)
    0
    Can you post policy?
    #11
    adamsf1
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/16 01:45:07
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/17 05:51:35 (permalink)
    0
    WG100D # show firewall policy 21
    config firewall policy
    edit 21
    set uuid 429b7a54-ce43-51e5-4620-79c140ddb751
    set srcintf "dmz"
    set dstintf "internal"
    set srcaddr "ALL"
    set dstaddr "All LAN SERVERS-192.168.1.3-50"
    set action accept
    set schedule "always"
    set service "RDP" "SAMBA" "SMB" "HTTP" "HTTPS" "ALL_ICMP" "FTP"
    next
    end
     
    above is the current policy we have with the working VPN with split tunnel enabled.
     
    below is what I created yesterday:
     
    set name "SSL-VPN-Internet"
    set uuid b00a0412-d893-51e9-2436-234e0557b1b8
    set srcintf "ssl.root"
    set dstintf "wan2"
    set srcaddr "all"
    set dstaddr "all_internal"
    set action accept
    set schedule "always"
    set service "ALL"
    set groups "SSL_VPN_Users"
    set nat enable
    set fixedport enable
    next
    end
    #12
    jorge.americo
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/12 06:49:38
    • Location: Bahia/Brasil
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/17 06:08:05 (permalink)
    0
    Check in the client, the route table and post.
    post edited by jorge.americo - 2019/09/17 06:12:05
    #13
    adamsf1
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/16 01:45:07
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/26 05:05:59 (permalink)
    0
    Thank you for the assistance jorge.americo and rwpatterson.
     
    so to get this working I created a new policy and had the Destination to ALL 0.0.0.0/0 (This was key to getting everything working)
    also my outgoing interface was set to internal instead of using my WAN connection where my Primary internet connection is. 
    I disabled split tunnelling.
    and my client was able to get my office IP of 196.x.x.x
     
    thanks again guys!
     
     
    #14
    rwpatterson
    Expert Member
    • Total Posts : 8417
    • Scores: 195
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: offline
    Re: SSL-VPN Public IP 2019/09/26 06:28:59 (permalink)
    0
    Glad you sorted things out.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #15
    Jump to:
    © 2019 APG vNext Commercial Version 5.5