Accessing Resources Across a Site-to-Site Tunnel when Connected via SSL VPN
Options
Ally Member
Hello,
I have a question about accessing resources across a S2S tunnel when connected to an SSL VPN.
Currently, we have multiple sites. They are all connected with an IPSEC VPN. When on site, a user can access any resource at any site on any port (that is allowed by policy).
Users working remotely connect with an SSL VPN (not in Full Tunnel Mode) to their respective site. Recently, we moved a user from one site to another. This was done because of an issue with that device's firmware. Ultimately, it is a better connection for them, so we left them. Anyway, now the user can't access a certain resource from another site. A resource at the site that they used to connect to. That said, it's not specific to this resource. We just don't have many people doing this. When connected with the SSL VPN, only resources (eg. subnets) at that site are accessible to the user.
My question is, can the system be configured to allow this access? Via Security Policy? Say the firewall at Site A hands out 10.10.10.x addresses for SSL VPN, Site A internally hands out 192.168.90.x addresses, and Site B hands out 192.168.70.x addresses. What must be configured to allow a 10.10.10.x (SSL VPN > Site A) IP to access 192.168.70.x (Site B ) resources? Is it possible?
user -> (SSL VPN) -> Site A firewall -> (IPSEC tunnel) -> Site B firewall -> resource
Thanks and have a good weekend!
I have a question about accessing resources across a S2S tunnel when connected to an SSL VPN.
Currently, we have multiple sites. They are all connected with an IPSEC VPN. When on site, a user can access any resource at any site on any port (that is allowed by policy).
Users working remotely connect with an SSL VPN (not in Full Tunnel Mode) to their respective site. Recently, we moved a user from one site to another. This was done because of an issue with that device's firmware. Ultimately, it is a better connection for them, so we left them. Anyway, now the user can't access a certain resource from another site. A resource at the site that they used to connect to. That said, it's not specific to this resource. We just don't have many people doing this. When connected with the SSL VPN, only resources (eg. subnets) at that site are accessible to the user.
My question is, can the system be configured to allow this access? Via Security Policy? Say the firewall at Site A hands out 10.10.10.x addresses for SSL VPN, Site A internally hands out 192.168.90.x addresses, and Site B hands out 192.168.70.x addresses. What must be configured to allow a 10.10.10.x (SSL VPN > Site A) IP to access 192.168.70.x (Site B ) resources? Is it possible?
user -> (SSL VPN) -> Site A firewall -> (IPSEC tunnel) -> Site B firewall -> resource
Thanks and have a good weekend!
0
Accepted Solution
-
You need to configure route and security policy on both sites,
Site A:
1.Create a policy route (Network > Routing > Policy Route)
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
next-hop: VPN tunnel, select the S2S tunnel to SiteB
2. Security Policy (Security Policy > Policy Control)
From: SSL_VPN
To: IPSec_VPN
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
action: allow
3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.
SiteB:
1. Create a policy route (Network > Routing > Policy Route)
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
next-hop: VPN tunnel, select the S2S tunnel to SiteA
2.Security Policy (Security Policy > Policy Control)
From: LAN
To: IPSec_VPN
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
action: allow
1
Master Member
All Replies
-
You need to configure route and security policy on both sites,
Site A:
1.Create a policy route (Network > Routing > Policy Route)
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
next-hop: VPN tunnel, select the S2S tunnel to SiteB
2. Security Policy (Security Policy > Policy Control)
From: SSL_VPN
To: IPSec_VPN
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
action: allow
3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.
SiteB:
1. Create a policy route (Network > Routing > Policy Route)
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
next-hop: VPN tunnel, select the S2S tunnel to SiteA
2.Security Policy (Security Policy > Policy Control)
From: LAN
To: IPSec_VPN
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
action: allow
1 -
Sorry for the delay in responding zyman. That worked, though I really only needed to add a policy route for the SSL VPN scope at Site B. As it was, there was no return path for the connection, which I managed to overlook. Thank you!0
Categories
- All Categories
- 385 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 75 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 908 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 886 Nebula FAQ
- 415 Security FAQ
- 228 Switch FAQ
- 200 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight
