Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
intel233
New Contributor

SSL VPN - Allow Single Host

When I VPN I only want 1 IP allowed on a particular subnet.   Is this possible?  I tried creating the Address 192.168.1.120/32 and adding that the destination but it does not work.

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

Is it the allowed internal destination to get to from the client side? Or IP pool for the SSL VPN client?

intel233

The 192.168.1.0/24 is not in the destination for the SSL VPN. 

Toshi_Esumi
Esteemed Contributor III

So you configured it under SSL VPN Portals->Source IP Pools (GUI), or config vpn ssl web portal/edit "portal_name"/set ip-pools </32_name> (CLI)? I think it should work.

intel233

I apologize if I am not explaining this correctly.  I am new to the Fortinet firewall.  What I did was create the address under Policy & Objects(Called TEST).   After that I went to IPV4 Policy.  I have a SSL-VPN tunnel interface (ssl.root) and under Destination I added that address (TEST).  Not sure if it because I dont have the gateway? But I tried using the gateway instead of the of the IP and that didnt work either.  I could not PING it.  Ping is enabled because I can ping the other 2 subnets.  The other 2 subnets are /24.

Toshi_Esumi
Esteemed Contributor III

Still not clear what you want to do. Do you want to access one SSL VPN client machine from an internal network directly connected to the FGT?

intel233

When I VPN I want to be able to hit that single host on that subnet.  I don't want to open the whole /24.  It's just 1 IP that hosts a web page that i would need to get to while connected to VPN.

Dave_Hall
Honored Contributor

Post a screenshot showing the address objects create/used along with the actual firewall rule(s) and did you confirm even with the entire /24 range you can actually reach/connect to that single host?

 

intel233 wrote:

When I VPN I want to be able to hit that single host on that subnet.  I don't want to open the whole /24.  It's just 1 IP that hosts a web page that i would need to get to while connected to VPN.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

The SSL-VPN tunnel interface is just that - an interface - you still need to configure it, including type of access, and a remote user (ID) to use/connect to it.  The overall view of SSL-VPN is provided here

 

What exactly are you trying to do?  The SSL-VPN connection set up is primarily used by remote users outside (e.g. on Internet) to connect through the fgt firewall to access resources on the inside (behind) the fgt.

 

If you have multiple subsets behind the fgt firewall (e.g. 192.168.1.*, 192,168.2.*, etc.) you generally created firewall rules between the subnets (interfaces) with NAT disabled. 

 

intel233 wrote:

I apologize if I am not explaining this correctly.  I am new to the Fortinet firewall.  What I did was create the address under Policy & Objects(Called TEST).   After that I went to IPV4 Policy.  I have a SSL-VPN tunnel interface (ssl.root) and under Destination I added that address (TEST).  Not sure if it because I dont have the gateway? But I tried using the gateway instead of the of the IP and that didnt work either.  I could not PING it.  Ping is enabled because I can ping the other 2 subnets.  The other 2 subnets are /24.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ShawnZA
Contributor II

intel233 wrote:

When I VPN I only want 1 IP allowed on a particular subnet.   Is this possible?  I tried creating the Address 192.168.1.120/32 and adding that the destination but it does not work.

Yes that's normal to lock your VPN down to single IP's ports etc. Who allows everything, that would be crazy!

 

Is that /32 in a new range that you are using? Has that been specified as a routing address the VPN clients can access under the VPN Portal settings? If not add it there as well or else the new rule will not work....

Labels
Top Kudoed Authors