Created on 11-24-2009 09:33 AM Edited on 07-20-2022 10:46 AM By Anonymous
Purpose
Scope
Diagram
Expectations, Requirements
Configuration
Only relevant part of the configuration are provided in CLI form.
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set end-ip 10.212.134.210
set start-ip 10.212.134.200
next
edit "port2_Internal_resources"
set type iprange
set end-ip 10.129.0.140
set start-ip 10.129.0.110
next
end
On Version 5.0
config vpn ssl settings
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
end
config user local
edit "test"
set type password
set passwd 123456
next
end
config user group
edit "test_ssl"
set member "test"
next
end
config vpn ssl web portal
edit "tunnel-access"
config widget
edit 1
set name "Tunnel Mode"
set type tunnel
set split-tunneling enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
edit 2
set name "Session Information"
set type info
next
end
next
end
config router static
edit 2
set device "ssl.root"
set dst 10.212.134.0 255.255.255.0
next
end
config firewall policy
edit 2
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "port2_Internal_resources"
set action ssl-vpn
set identity-based enable
config identity-based-policy
edit 1
set schedule "always"
set groups "test_ssl"
set service "ALL"
set sslvpn-portal "tunnel-access"
next
end
next
edit 3
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "port2_Internal_resources"
set action accept
set schedule "always"
set service "ALL"
next
end
On Version 5.2 onwards
config firewall address
edit "Internal_subnet"
set uuid 0a22b0ce-c166-51e4-c063-cfa0873cfecb
set associated-interface "port2"
set subnet 10.129.0.0 255.255.254.0
next
end
config user local
edit "test"
set type password
set passwd-time 2015-01-02 03:29:25
set passwd 123456
end
config user group
edit "test_SSL"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "test"
next
end
config vpn ssl settings
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set source-interface "port1"
set source-address "all"
set source-address6 "all"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "test_SSL"
set portal "full-access"
next
end
end
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set web-mode enable
set mac-addr-check enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling-routing-address "Internal_subnet"
set page-layout double-column
config mac-addr-check-rule
edit "1"
set mac-addr-list 00:98:12:fe:3e:12
next
end
next
end
config router static
edit 2
set dst 10.212.134.0 255.255.255.0
set device "ssl.root"
next
end
config firewall policy
edit 2
set uuid 0f6ddc5c-c166-51e4-ef47-01fba69ab5ca
set srcintf "ssl.root"
set dstintf "port2"
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "Internal_subnet"
set action accept
set schedule "always"
set service "ALL"
set groups "test_SSL"
set nat enable
next
end
Firewall policy can be created when configuring the SSLVPN settings, for more information you can refer the below video
http://video.fortinet.com/video/110/ssl-vpn-for-remote-users-5-2
Verification
- Open the SSL VPN Portal and tunnel:
- https://192.168.140.124:10443
- login and click on "Tunnel Mode" --> "Connect"
- Tunnel link status should be "UP"
3 - Check the FortiSSL interface status on PC1:
C:\ ipconfig /all
C:\Documents and Settings\xxxxx>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : xxxxx
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 T Server Adapter #
2
Physical Address. . . . . . . . . : 00-50-56-01-69-2A
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.128.0.142
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.128.0.131
PPP adapter fortissl:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.212.134.200
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
4 - Check PC1 routing table , looking for the subnet(s) of the internal resources:
C:\ route print
C:\Documents and Settings\xxxx>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 56 01 69 2a ...... Intel(R) PRO/1000 T Server Adapter #2 - Packet S
cheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.128.0.131 10.128.0.142 10
10.128.0.0 255.255.254.0 10.128.0.142 10.128.0.142 10
10.128.0.142 255.255.255.255 127.0.0.1 127.0.0.1 10
10.129.0.0 255.255.254.0 10.212.134.200 10.212.134.200 1
10.212.134.200 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.128.0.142 10.128.0.142 10
10.255.255.255 255.255.255.255 10.212.134.200 10.212.134.200 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.140.124 255.255.255.255 10.128.0.131 10.128.0.142 1
224.0.0.0 240.0.0.0 10.128.0.142 10.128.0.142 10
224.0.0.0 240.0.0.0 10.212.134.200 10.212.134.200 50
255.255.255.255 255.255.255.255 10.128.0.142 10.128.0.142 1
255.255.255.255 255.255.255.255 10.212.134.200 10.212.134.200 1
Default Gateway: 10.128.0.131
===========================================================================
Persistent Routes:
None
Note here that 10129.0.0/24 is pointing to the FortiGate SSL VPN gateway, and the default route is still using the local default gateway.
Troubleshooting
A sniffer trace launched from the FortiGate CLI will help in troubleshooting connectivity issues, as per the CLI command example below:
FGT # diagnose sniffer packet any "host 10.160.0.110 and port 80" 4
46.928415 ssl.root in 10.0.0.1.4117 -> 10.160.0.110.80: syn 1910220645 46.930144 port2 out 10.160.0.136.36979 -> 10.160.0.110.80: syn 1910220645 46.930434 port2 in 10.160.0.110.80 -> 10.160.0.136.36979: syn 315656354 ack 1910220646 46.930482 ssl.root out 10.160.0.110.80 -> 10.0.0.1.4117: syn 315656354 ack 1910220646 |
Note that because NAT is enabled on the firewall policy, the packet sent on port2 is sources with the IP address of the FortiGate port2 IP address
If NAT had NOT been enabled, the packet sent on port2 would use the source IP of the IP range given by the SSL VPN Pool :
FGT # diagnose sniffer packet any "host 10.160.0.110 and port 80" 4
28.802447 ssl.root in 10.0.0.1.4269 -> 10.160.0.110.80: syn 3870100179 28.802516 port2 out 10.0.0.1.4269 -> 10.160.0.110.80: syn 3870100179 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.