Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
0
Helpful
6
Replies

SSL To Site to Site VPN

Go to solution
Netplace Support
Level 1
Level 1

‎10-20-2019 12:02 AM

Hi All,

 

Please find attached diagram where on my ASA SSL VPN is configured to access my internal network behind my another vendor firewall i.e FORTIGATE.

 

But Now my Company wants that users from outside connect to SSL Vpn using an ASA and after successfully connected and access internal network which is behind FORTIGATE should able to access other locations i.e via Site to Site tunnel which is configured on fortigate in between location.

 

So can anyone help me is it possible ? If yes how can make it work through.

 

Below I'm giving some IP detail 

 

SSL VPN assign pool ( 172.20.1.0/24)

(172.20.1.0/24) is going to Nat on 192.168.1.1 when user needs to connect to other locations via site to site tunnel which is configured on Fortigate

 

Also need to know is it possible to extend 1 public IP to both ASA and Fortigate using L2 Vlan (Refer Attached diagram)

 

Please help me.

 

Regards,

Vishal

Labels:
Preview file
3657 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Afolarin Omole
Level 1
Level 1
In response to Netplace Support

‎10-22-2019 07:02 AM

Then you have to allow that subnet on fortigate encryption domain.


If I may ask , why are doing NAT ? Is fine to Nat when going out to the
public cloud which is what the protocol is meant for , and when doing NAT
on inside that means we are trying to protect something e.g server etc


For you question and what you stated , if you NAT the SSL Pool then you
only need to allow the NAT IP on fortigate. Please take traffic flow into
consideration.

Let me know if this help and mark this as solution.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Afolarin Omole
Level 1
Level 1

‎10-21-2019 04:56 AM

Hello,

According to your diagram , I can see you want remote user via ASA on SSL VPN whilst internal network to communicate via S2S between the 2 FortiGate ?

 

Please clarify this part so I can compliment my understanding of this.

 

Thanks

Olu 

0 Helpful

Go to solution
Netplace Support
Level 1
Level 1
In response to Afolarin Omole

‎10-21-2019 07:07 AM

Hi Olubunmi,

 

Thanks for your reply.

 

Basically I want my user from home connect ASA  SSL Vpn and access internal network which is behind FORTIGATE. Then after this if they want to connect to other locations network,  they will connect site to site tunnel between two fortigate and communication established.

 

Please help and guide me how it will work

0 Helpful

Go to solution
Afolarin Omole
Level 1
Level 1
In response to Netplace Support

‎10-22-2019 02:16 AM

Hello Netspace,

My Understanding of your setup is that , you want all remote users SSL VPN termination to be on the ASA , which will allow their access to internal network behind one of the FORTIGATE  A , and for the remote SSL VPN users to access other remote side internal network of the FORTIGATE B , they will need pass through the tunnel between the 2 FORTIGATE.

 

First the remote access user access is dependant on the VPN profile attached to the group policy , for example we use such template to determine which group user belong to for connection purposes , what and where user have access and restriction to and from etc...

 

So it is pretty much easy job to configure SSL VPN on ASA , though am not ASDM fan but I could give you CLI template at your request.

 

For the Traffic between the 2 FORTIGATE S2S VPN , all you need to do is to add the ASA remote access VPN ip pool to the allowed encryption domain on both FORTIGATE , remember you need to mirror this on both firewall as below :

 

ON FORTIGATE A :

SSL VPN IP POOL ====>  INTERESTED TRAFFIC ON FORTIGATE B

 

ON FORTIGATE B :

INTERESTED TRAFFIC ON FORTIGATE B ====> SSL VPN IP POOL

 

saying the above please check dependencies , compatibility and also refer to vendor documentations.

 

Thanks.

 

 

 

 

 

 

 

0 Helpful

Go to solution
Netplace Support
Level 1
Level 1
In response to Afolarin Omole

‎10-22-2019 04:01 AM

Hi Olubunmi,

 

Thanks for your help. Your suggestion looks really technical and logical also.

 

As per your suggestion for SSL Vpn to fortigate Site to Site tunnel need to add SSL Vpn pool on both fortigate (Site A and B).But for what if I want that my SSL Vpn pool ip to be natted on particular IP example 192.168.1.0/24 while going site to site via fortigate.

 

Then would I need to replace the SSL Vpn ip pool with Nat pool ip 192.168.1.0/24 in source address for things to work.

 

0 Helpful

Go to solution
Afolarin Omole
Level 1
Level 1
In response to Netplace Support

‎10-22-2019 07:02 AM

Then you have to allow that subnet on fortigate encryption domain.


If I may ask , why are doing NAT ? Is fine to Nat when going out to the
public cloud which is what the protocol is meant for , and when doing NAT
on inside that means we are trying to protect something e.g server etc


For you question and what you stated , if you NAT the SSL Pool then you
only need to allow the NAT IP on fortigate. Please take traffic flow into
consideration.

Let me know if this help and mark this as solution.
0 Helpful

Go to solution
Netplace Support
Level 1
Level 1
In response to Afolarin Omole

‎10-22-2019 11:45 AM

Thanks Olubunmi,

 

Looks like it works. I will try it and let you know 

0 Helpful
Customers Also Viewed These Support Documents