Please find attached diagram where on my ASA SSL VPN is configured to access my internal network behind my another vendor firewall i.e FORTIGATE.
But Now my Company wants that users from outside connect to SSL Vpn using an ASA and after successfully connected and access internal network which is behind FORTIGATE should able to access other locations i.e via Site to Site tunnel which is configured on fortigate in between location.
So can anyone help me is it possible ? If yes how can make it work through.
Below I'm giving some IP detail
SSL VPN assign pool ( 172.20.1.0/24)
(172.20.1.0/24) is going to Nat on 192.168.1.1 when user needs to connect to other locations via site to site tunnel which is configured on Fortigate
Also need to know is it possible to extend 1 public IP to both ASA and Fortigate using L2 Vlan (Refer Attached diagram)
Please help me.
Solved! Go to Solution.
According to your diagram , I can see you want remote user via ASA on SSL VPN whilst internal network to communicate via S2S between the 2 FortiGate ?
Please clarify this part so I can compliment my understanding of this.
Thanks for your reply.
Basically I want my user from home connect ASA SSL Vpn and access internal network which is behind FORTIGATE. Then after this if they want to connect to other locations network, they will connect site to site tunnel between two fortigate and communication established.
Please help and guide me how it will work
My Understanding of your setup is that , you want all remote users SSL VPN termination to be on the ASA , which will allow their access to internal network behind one of the FORTIGATE A , and for the remote SSL VPN users to access other remote side internal network of the FORTIGATE B , they will need pass through the tunnel between the 2 FORTIGATE.
First the remote access user access is dependant on the VPN profile attached to the group policy , for example we use such template to determine which group user belong to for connection purposes , what and where user have access and restriction to and from etc...
So it is pretty much easy job to configure SSL VPN on ASA , though am not ASDM fan but I could give you CLI template at your request.
For the Traffic between the 2 FORTIGATE S2S VPN , all you need to do is to add the ASA remote access VPN ip pool to the allowed encryption domain on both FORTIGATE , remember you need to mirror this on both firewall as below :
ON FORTIGATE A :
SSL VPN IP POOL ====> INTERESTED TRAFFIC ON FORTIGATE B
ON FORTIGATE B :
INTERESTED TRAFFIC ON FORTIGATE B ====> SSL VPN IP POOL
saying the above please check dependencies , compatibility and also refer to vendor documentations.
Thanks for your help. Your suggestion looks really technical and logical also.
As per your suggestion for SSL Vpn to fortigate Site to Site tunnel need to add SSL Vpn pool on both fortigate (Site A and B).But for what if I want that my SSL Vpn pool ip to be natted on particular IP example 192.168.1.0/24 while going site to site via fortigate.
Then would I need to replace the SSL Vpn ip pool with Nat pool ip 192.168.1.0/24 in source address for things to work.