Solved: SSL VPN Not Running On External Interface

Nuggeteer

I'm trying to setup an SSL VPN but the SSL VPN portal is only running on my Internal interface, not the External interface. I have my WAN IP configured as the URL to use for the SSLVPN. I have also verified within the IPSec VPN tab under Link Selection it's set to use the WAN IP as well. However, the SSL VPN portal only runs on the Internal interface.

The only thing I can think of is that within the Smart Console my gateway shows up using the Internal IP address of my LAN. Is there a way to force the SSL VPN to use the External interface?

the_rock

Anyway, hit me up directly and can send you zoom.

Andy

View solution in original post

the_rock

Hey guys,

Just to update @Chris_Atkinson , what Bob and I did was below, I just took some basic noted and all worked fine afterwards. I knew it had to be something trivial, but its always good to have working lab to compare it to. Thanks @Nuggeteer for being patient over remote, but glad we sorted it out.

Andy

****************************************

remote session notes:

web UI

192.168.100.1:4434, works

192.168.100.1/sslvpn works

192.168.121.211/sslvpn gives web ui, NOT ssl vpn page

we changed inside layer to internal and installed policy

same issue

realized mgmt server object was natted to 192.168.121.211, disabled it, install policy -> good now

*************************************************

View solution in original post

Chris_Atkinson

Which options are currently set here:

Gateway/cluster object - Mobile Access - Portal Settings - Accessibility - Edit

CCSM R77/R80/ELITE

Nuggeteer

First off, this is in a lab environment.

My gateways external IP is 192.168.121.211 and the internal IP is 192.168.100.1 and it's the gateway for the 192.168.100.0/24 network. My SMS is 192.168.100.10.

--> Under Gateway/cluster object - Mobile Access - Portal Settings - Accessibility - Edit: set to "Through all interfaces".

NOTE: When I try to access hxxp://192.168.121.11/sslvpn I get the management interface, not the SSL VPN interface. If I go to hxxps://192.168.100.1/sslvpn I get the SSLVPN page.

Also, within my gateway, the "Platform Portal" Main URL is set to "https://192.168.121.211. I had it set to https://192.168.100.1 and the SSL VPN didn't work via the external IP with that either so I'm at a bit of a loss here.

Thank you for your help!

Chris_Atkinson

Try setting the platform portal URL to the internal IP on a different port e.g. https://192.168.100.1:4434 and install policy afterwards

CCSM R77/R80/ELITE

Nuggeteer

I changed my platform portal to what you suggested and when I visit hxxps://192.168.121.211/sslvpn I still get the management portal page and not the SSL VPN page.

Is there anything else I can look at? Any logs?

Nuggeteer

Any other thoughts? I've enabled the Mobile Access blade for SSL VPN and RA VPN (client) for workstations. Neither one will work when trying to connect to the external interface.

the_rock

If you are allowed to do remote, happy to try help, since its a lab.

Let me know.

Andy

Nuggeteer

Absolutely! If you're willing. I'm stuck at this point and not sure what else to do.

the_rock

Anyway, hit me up directly and can send you zoom.

Andy

Nuggeteer

For anyone who comes across this and wants to know what the root cause of the problem was. I had my SMS server using a static NAT on the SG external IP and this was causing the NAT to take precedence over my SSL VPN connect. Many thanks to Andy for his assistance !!!!!!!

the_rock

No problem bud, glad to help, any time!

Andy

the_rock

I totally agree with last thing Chris said. Thats how I did it in my lab and workes perfectly fine.

Andy

Nuggeteer

What guide did you use to setup the SSL VPN? I've seen so many YouTube videos and they're all different. Is there updated CP documentation that you followed?

the_rock

Nope, never followed any guide, I have it all in my brain, since I did it who knows how many times lol

I took some screenshots for you.

Andy

Nuggeteer

Do I need an access control policy rule to allow it? I have one for RA-VPN (client), but not one for SSL VPN users.

However, my RA VPN (client) won't connect when I try to create a new site so it's like the SSL VPN daemon isn't listening at all.

the_rock

To just open the page, no, you dont need rule for that.

Andy

the_rock

Hey guys,

Just to update @Chris_Atkinson , what Bob and I did was below, I just took some basic noted and all worked fine afterwards. I knew it had to be something trivial, but its always good to have working lab to compare it to. Thanks @Nuggeteer for being patient over remote, but glad we sorted it out.

Andy

****************************************

remote session notes:

web UI

192.168.100.1:4434, works

192.168.100.1/sslvpn works

192.168.121.211/sslvpn gives web ui, NOT ssl vpn page

we changed inside layer to internal and installed policy

same issue

realized mgmt server object was natted to 192.168.121.211, disabled it, install policy -> good now

*************************************************

Are you a member of CheckMates?

SSL VPN Not Running On External Interface