|
After connecting to the SSL VPN, the usual process is to connect to the resources located in the inside network. However, it is not possible to connect from the inside network to the remote SSL VPN host. Some scenarios may require the inside host to communicate with the remote host after connecting to the SSL VPN.
The step-by-step configuration template is given below. It is recommended to change the IP address as per the deployment scenario:
SSL VPN Configuration:
config vpn ssl settings
set servercert "Fortinet_Factory"
set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
set port 8443
set source-interface "wan2"
set source-address "all"
set source-address6 "all"
set default-portal "tunnel-access"
config authentication-rule
edit 1
set users "<username>"
set portal "full-access"
next
end
end
SSL VPN Portal:
config vpn ssl web portal
edit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
next
end
Firewall Policy:
config firewall policy
edit 3
set name "sslvpn-to-inside"
set srcintf "ssl.root"
set dstintf "internal"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set logtraffic all
set users "salem"
next
end
This policy will enable the traffic to go to the SSL VPN host from the inside host.
config firewall policy
edit 4
set name "inside-to-sslvpn"
set srcintf "internal"
set dstintf "ssl.root"
set action accept
set srcaddr "internal"
set dstaddr "SSLVPN_TUNNEL_ADDR1"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Check the routes as well.
The FortiGate does not include the SSL VPN Pool in its routing table. Add a static route to reach that subnet over the SSL VPN Tunnel Interface.
Related article:
SSL VPN full tunnel for a remote user - FortiGate administration guide.
|
