Hot!SSL VPN - Allow Single Host

Author
intel233
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/10 08:50:05
  • Status: offline
2019/12/10 08:53:48 (permalink)
0

SSL VPN - Allow Single Host

When I VPN I only want 1 IP allowed on a particular subnet.   Is this possible?  I tried creating the Address 192.168.1.120/32 and adding that the destination but it does not work.
#1

9 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1854
    • Scores: 157
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/10 11:34:40 (permalink)
    0
    Is it the allowed internal destination to get to from the client side? Or IP pool for the SSL VPN client?
    #2
    intel233
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/10 08:50:05
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/10 13:12:45 (permalink)
    0
    The 192.168.1.0/24 is not in the destination for the SSL VPN. 
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1854
    • Scores: 157
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/10 14:15:11 (permalink)
    0
    So you configured it under SSL VPN Portals->Source IP Pools (GUI), or config vpn ssl web portal/edit "portal_name"/set ip-pools </32_name> (CLI)? I think it should work.
    #4
    intel233
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/10 08:50:05
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/11 05:42:43 (permalink)
    0
    I apologize if I am not explaining this correctly.  I am new to the Fortinet firewall.  What I did was create the address under Policy & Objects(Called TEST).   After that I went to IPV4 Policy.  I have a SSL-VPN tunnel interface (ssl.root) and under Destination I added that address (TEST).  Not sure if it because I dont have the gateway? But I tried using the gateway instead of the of the IP and that didnt work either.  I could not PING it.  Ping is enabled because I can ping the other 2 subnets.  The other 2 subnets are /24.
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1854
    • Scores: 157
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/11 08:57:23 (permalink)
    0
    Still not clear what you want to do. Do you want to access one SSL VPN client machine from an internal network directly connected to the FGT?
    #6
    Dave Hall
    Expert Member
    • Total Posts : 1568
    • Scores: 169
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/11 10:51:56 (permalink)
    0
    The SSL-VPN tunnel interface is just that - an interface - you still need to configure it, including type of access, and a remote user (ID) to use/connect to it.  The overall view of SSL-VPN is provided here
     
    What exactly are you trying to do?  The SSL-VPN connection set up is primarily used by remote users outside (e.g. on Internet) to connect through the fgt firewall to access resources on the inside (behind) the fgt.
     
    If you have multiple subsets behind the fgt firewall (e.g. 192.168.1.*, 192,168.2.*, etc.) you generally created firewall rules between the subnets (interfaces) with NAT disabled. 
     
    intel233
    I apologize if I am not explaining this correctly.  I am new to the Fortinet firewall.  What I did was create the address under Policy & Objects(Called TEST).   After that I went to IPV4 Policy.  I have a SSL-VPN tunnel interface (ssl.root) and under Destination I added that address (TEST).  Not sure if it because I dont have the gateway? But I tried using the gateway instead of the of the IP and that didnt work either.  I could not PING it.  Ping is enabled because I can ping the other 2 subnets.  The other 2 subnets are /24.




    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #7
    intel233
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/10 08:50:05
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/11 12:13:39 (permalink)
    0
    When I VPN I want to be able to hit that single host on that subnet.  I don't want to open the whole /24.  It's just 1 IP that hosts a web page that i would need to get to while connected to VPN.
    #8
    Dave Hall
    Expert Member
    • Total Posts : 1568
    • Scores: 169
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/11 13:47:54 (permalink)
    0
    Post a screenshot showing the address objects create/used along with the actual firewall rule(s) and did you confirm even with the entire /24 range you can actually reach/connect to that single host?
     
    intel233
    When I VPN I want to be able to hit that single host on that subnet.  I don't want to open the whole /24.  It's just 1 IP that hosts a web page that i would need to get to while connected to VPN.





    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #9
    ShawnZA
    Bronze Member
    • Total Posts : 29
    • Scores: 4
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Location: Cape Town
    • Status: offline
    Re: SSL VPN - Allow Single Host 2019/12/11 20:39:51 (permalink)
    0
    intel233
    When I VPN I only want 1 IP allowed on a particular subnet.   Is this possible?  I tried creating the Address 192.168.1.120/32 and adding that the destination but it does not work.



    Yes that's normal to lock your VPN down to single IP's ports etc. Who allows everything, that would be crazy!
     
    Is that /32 in a new range that you are using? Has that been specified as a routing address the VPN clients can access under the VPN Portal settings? If not add it there as well or else the new rule will not work....
    #10
    Jump to:
    © 2020 APG vNext Commercial Version 5.5