แล้วเชื่อม network ฝั่งคุณกับลูกค้ายังไงครับ
ผมทำ SSL VPN โดยทำ DDNS ไปครับ คือ Ping และพิม IP อุปกรณ์ Printer อื่นๆ (เช่น 192.168.1.201) บนหน้าบราวเซอร์ในออฟฟิตของลูกค้าได้ครับ แต่พอเป็น IP .1.200 มันไม่ได้ เพราะ IP มันดันมาซ้ำกับ Printer ของออฟฟิตผมด้วยครับ ผมเลยอยากได้วิธีแก้ตรงจุดนี้ครับ ว่าต้องทำอะไรเพิ่มบ้าง เพื่อให้ VPN ไปแล้วสามารถพิม IP .1.200 แล้วเข้าไปที่ Printer ลูกค้า ไม่ใช่ Printer ออฟฟิตผม
น่าจะต้องใช้ vip ช่วยครับในกรณี Overlab supnet
ศึกษาตาม นี้ดูครับ https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/657805/site-to-site-ipsec-vpn-with-overlapping-subnets?fbclid=IwAR0F_0x3H4HbTV89e0IoMjWFL7HfLq9OOi040BJdIQhIpV8xAVVWjS-EEXo
SSL VPN with overlapping subnets
Requirement: LAN subnet of remote client connecting through SSL VPN and local network behind
FortiGate which needs to be accessed overlap.
Network setup:
Remote hosts LAN IP: 192.168.1.10/24
IP of the Server behind Fortigate: 192.168.1.200/24
Products:
All FortiGate models running FortiOS 5.0
Version Tested:
v5.0 build0228 (GA Patch 4)
Configuration:
1. Configure SSL VPN tunnel for remote users -
2. Create users and add them to a group -
To create a user account: Go to User & Device > User > User Definition, and select “Create New”.
3. Configure VIP and address object –
To configure address object: Go to Firewall Objects > Address > Addresses
Note: As the networks overlap we are assuming a virtual subnet 172.16.31.0/24 which is mapped to
actual subnet 192.168.1.0/24
3. To create an SSL-VPN security policy
Go to Policy > Policy > Policy and select “Create New”, select the Policy Type as VPN and the Policy
Subtype as SSL-VPN, enter the following information:
Incoming Interface: Select the name of the FortiGate network interface to that connects to the
Internet.
Remote Address: Select all.
Local Interface: Select the FortiGate network interface that connects to the protected network.
Local Protected Subnet: Select the firewall address you created using virtual network
172.16.31.0/24
4. To configure the tunnel mode security policy –
Go to Policy > Policy> Policy and select Create New, leave the Policy Type as Firewall and leave the
Policy Subtype as Address, enter the following information
Incoming Interface: Select the virtual SSL VPN interface, such as ssl.root.
Source Address: Select the firewall address you created that represents the IP address range
assigned to SSL VPN clients, such as SSL_VPN_tunnel_users.
Outgoing Interface: Select the interface that connects to the protected network.
Destination Address: Select the VIP object configured
Action: Select Accept.
Enable NAT: Select Enable.
Once the configuration is complete, remote users connecting to SSLVPN can access the server using
the IP 172.16.31.200 and the traffic will be forwarded to 192.168.1.200.