Helpful ReplyHot!Separating a WAN subnet into Multiple Ports

Author
theArties
New Member
  • Total Posts : 19
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/04/04 00:04:32
  • Status: offline
2020/01/08 17:32:42 (permalink)
0

Separating a WAN subnet into Multiple Ports

Hi all, 
 
Would like to know whether there's a workaround for this. 

Currently a /29 WAN subnet is created on a WAN 1. e.g. 202.188.1.130/29. Gateway is 202.188.1.129.
I want to separate a particular IP out e.g. 202.188.1.132 and connect it to another port e.g. Port 15 for SSL-VPN purpose. 
By default, under the SSL-VPN settings, the box will only listen on the WAN 1 IP i.e. 202.188.1.130:443.
 
How can I make the box to listen to 202.188.1.132 for the SSL-VPN. 
 
Thank you in advance for your guidance. 
 
 
 
 
#1
ShawnZA
Bronze Member
  • Total Posts : 50
  • Scores: 7
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: online
Re: Separating a WAN subnet into Multiple Ports 2020/01/08 20:50:19 (permalink) ☄ Helpfulby theArties 2020/01/08 22:33:57
0
You will not be able to set a IP on another interface that is already part of the /29 on your WAN1.
 
You could break up the /29 in two /30's, but would need extra config on the next hop router as well, and a switch in between if there are no other ports available on the next hop.
 
You could also do a VIP as per this thread but don't think that's what you are looking for as the original IP will also still be listening for VPN requests unless you block it...
 
https://forum.fortinet.com/tm.aspx?m=111523
 
 
 
#2
theArties
New Member
  • Total Posts : 19
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/04/04 00:04:32
  • Status: offline
Re: Separating a WAN subnet into Multiple Ports 2020/01/08 22:35:32 (permalink)
0
Hi ShawnZA, 
 
Thanks for your time. 
 
I read thru the link and did a check on the current box. 
Silly question: what should the mapped IP be? the LAN IP for the box? 
 
Thanks.
#3
ShawnZA
Bronze Member
  • Total Posts : 50
  • Scores: 7
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: online
Re: Separating a WAN subnet into Multiple Ports 2020/01/08 22:48:23 (permalink)
0
In the link I pasted they guy actually forwards it to his primary extarnal IP, so probably not what you are looking for.
 
You could also create a loopback interface, and assign any internal IP to it, like 10.40.1.1/30, or just a /32 as you only need one IP
 
Then create a VIP address with your second external IP and forward it to the IP you specified for the loopback on port 443
 
Then in the VPN settings you select the new loopback interface as the listening interface. I have done setups like that for IPSEC VPN so I am sure it should work for a SSL VPN setup.
post edited by ShawnZA - 2020/01/09 04:35:43
#4
ShawnZA
Bronze Member
  • Total Posts : 50
  • Scores: 7
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: online
Re: Separating a WAN subnet into Multiple Ports 2020/01/08 23:05:13 (permalink)
5 (1)
I did a quick change on my home firewall, look at the attached image, create the loopback interface, create the VIP address and change the VPN settings to the new interface.
Then create the policy with the VIP to forward the SSL VPN traffic to your new internal loopback interface.
 
 
https://forum.fortinet.com/tm.aspx?m=149400
Also some info on setting up SSL VPN to a Loopback interface.
post edited by ShawnZA - 2020/01/08 23:22:56

Attached Image(s)

#5
theArties
New Member
  • Total Posts : 19
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/04/04 00:04:32
  • Status: offline
Re: Separating a WAN subnet into Multiple Ports 2020/01/20 23:57:49 (permalink)
0
Hi ShawnZA,
 
Thank you for sharing the idea. I've followed the steps and was able to achieve the result. 
 
Cheers.
#6
Jump to:
© 2020 APG vNext Commercial Version 5.5