Advertisement
I’m having a weird issue with our VPN, specifically with one of our applications.<\/p>\n
The issue is that our application has built in IP whitelisting on a user level. So, for our local users I’ve added our VPN IP range, but when anyone logs in to that application, they are blocked from logging in, and when i look at the log files, our system doesn’t see the IP address assigned to the user, but the system sees the user as coming from the local IP address of our firewall.<\/p>\n
Now, I don’t ave access to our firewall to see whats going on, and Fortinet support got me nowhere.<\/p>\n
Does anyone know what might be going on, and what I can do to fix that issue?<\/p>","upvoteCount":5,"answerCount":4,"datePublished":"2020-05-29T11:52:33.000Z","author":{"@type":"Person","name":"Daniel9483","url":"https://community.spiceworks.com/u/Daniel9483"},"suggestedAnswer":[{"@type":"Answer","text":"
I’m having a weird issue with our VPN, specifically with one of our applications.<\/p>\n
The issue is that our application has built in IP whitelisting on a user level. So, for our local users I’ve added our VPN IP range, but when anyone logs in to that application, they are blocked from logging in, and when i look at the log files, our system doesn’t see the IP address assigned to the user, but the system sees the user as coming from the local IP address of our firewall.<\/p>\n
Now, I don’t ave access to our firewall to see whats going on, and Fortinet support got me nowhere.<\/p>\n
Does anyone know what might be going on, and what I can do to fix that issue?<\/p>","upvoteCount":5,"datePublished":"2020-05-29T11:52:33.000Z","url":"https://community.spiceworks.com/t/fortigate-vpn-ip-reporting-issue/764344/1","author":{"@type":"Person","name":"Daniel9483","url":"https://community.spiceworks.com/u/Daniel9483"}},{"@type":"Answer","text":"
It’s most likely a case of a firewall policy on the Fortigate that’s allowing the VPN traffic having NAT turned on. This way when VPN traffic leaves the router to go to your internal server, it’ll be seen as the Fortigate IP.<\/p>\n
To fix this, you will need access to the Fortigate of course and change that setting. You’ll likely also need to create static routes if they don’t exist in your environmental yet so that there is full layer 3 (routed) communication possible between the LAN and VPN subnets.<\/p>\n
Windows servers and such may also need their Windows Firewalls modified to allow this “foreign” subnet access to their resources.<\/p>","upvoteCount":0,"datePublished":"2020-05-29T12:02:34.000Z","url":"https://community.spiceworks.com/t/fortigate-vpn-ip-reporting-issue/764344/2","author":{"@type":"Person","name":"gerardbeekmans","url":"https://community.spiceworks.com/u/gerardbeekmans"}},{"@type":"Answer","text":"
OK, well I’ll have to check on that, however the curious issue is that all of our other applications, which are all run off of windows servers, all of the same subnet, don’t have this issue, they all report back the assigned IP.<\/p>\n
Any idea how that would be possible?<\/p>","upvoteCount":0,"datePublished":"2020-05-29T12:10:36.000Z","url":"https://community.spiceworks.com/t/fortigate-vpn-ip-reporting-issue/764344/3","author":{"@type":"Person","name":"Daniel9483","url":"https://community.spiceworks.com/u/Daniel9483"}},{"@type":"Answer","text":"
NAT again. I’m of course guessing here as i can’t see your config. It’s very likely there’s a specific policy that only applies to traffic heading to that one server that has NAT enabled. I actually have several such policies on my own Fortigates to help with troublesome servers and applications that will not work with different subnets. For those apps, I force NAT so they don’t know there’s VPN involved and “think” it’s all local only traffic.<\/p>","upvoteCount":0,"datePublished":"2020-05-29T12:14:20.000Z","url":"https://community.spiceworks.com/t/fortigate-vpn-ip-reporting-issue/764344/4","author":{"@type":"Person","name":"gerardbeekmans","url":"https://community.spiceworks.com/u/gerardbeekmans"}}]}}