Accessing Resources Across a Site-to-Site Tunnel when Connected via SSL VPN
Ally Member
Hello,
I have a question about accessing resources across a S2S tunnel when connected to an SSL VPN.
Currently, we have multiple sites. They are all connected with an IPSEC VPN. When on site, a user can access any resource at any site on any port (that is allowed by policy).
Users working remotely connect with an SSL VPN (not in Full Tunnel Mode) to their respective site. Recently, we moved a user from one site to another. This was done because of an issue with that device's firmware. Ultimately, it is a better connection for them, so we left them. Anyway, now the user can't access a certain resource from another site. A resource at the site that they used to connect to. That said, it's not specific to this resource. We just don't have many people doing this. When connected with the SSL VPN, only resources (eg. subnets) at that site are accessible to the user.
My question is, can the system be configured to allow this access? Via Security Policy? Say the firewall at Site A hands out 10.10.10.x addresses for SSL VPN, Site A internally hands out 192.168.90.x addresses, and Site B hands out 192.168.70.x addresses. What must be configured to allow a 10.10.10.x (SSL VPN > Site A) IP to access 192.168.70.x (Site B ) resources? Is it possible?
user -> (SSL VPN) -> Site A firewall -> (IPSEC tunnel) -> Site B firewall -> resource
Thanks and have a good weekend!
I have a question about accessing resources across a S2S tunnel when connected to an SSL VPN.
Currently, we have multiple sites. They are all connected with an IPSEC VPN. When on site, a user can access any resource at any site on any port (that is allowed by policy).
Users working remotely connect with an SSL VPN (not in Full Tunnel Mode) to their respective site. Recently, we moved a user from one site to another. This was done because of an issue with that device's firmware. Ultimately, it is a better connection for them, so we left them. Anyway, now the user can't access a certain resource from another site. A resource at the site that they used to connect to. That said, it's not specific to this resource. We just don't have many people doing this. When connected with the SSL VPN, only resources (eg. subnets) at that site are accessible to the user.
My question is, can the system be configured to allow this access? Via Security Policy? Say the firewall at Site A hands out 10.10.10.x addresses for SSL VPN, Site A internally hands out 192.168.90.x addresses, and Site B hands out 192.168.70.x addresses. What must be configured to allow a 10.10.10.x (SSL VPN > Site A) IP to access 192.168.70.x (Site B ) resources? Is it possible?
user -> (SSL VPN) -> Site A firewall -> (IPSEC tunnel) -> Site B firewall -> resource
Thanks and have a good weekend!
0
Accepted Solution
-
You need to configure route and security policy on both sites,
Site A:
1.Create a policy route (Network > Routing > Policy Route)
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
next-hop: VPN tunnel, select the S2S tunnel to SiteB
2. Security Policy (Security Policy > Policy Control)
From: SSL_VPN
To: IPSec_VPN
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
action: allow
3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.
SiteB:
1. Create a policy route (Network > Routing > Policy Route)
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
next-hop: VPN tunnel, select the S2S tunnel to SiteA
2.Security Policy (Security Policy > Policy Control)
From: LAN
To: IPSec_VPN
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
action: allow
1
Master Member
All Replies
-
You need to configure route and security policy on both sites,
Site A:
1.Create a policy route (Network > Routing > Policy Route)
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
next-hop: VPN tunnel, select the S2S tunnel to SiteB
2. Security Policy (Security Policy > Policy Control)
From: SSL_VPN
To: IPSec_VPN
source: 10.10.10.x
destination: 192.168.80.x(SiteB)
action: allow
3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.
SiteB:
1. Create a policy route (Network > Routing > Policy Route)
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
next-hop: VPN tunnel, select the S2S tunnel to SiteA
2.Security Policy (Security Policy > Policy Control)
From: LAN
To: IPSec_VPN
source: 192.168.80.x(SiteB)
destination: 10.10.10.x
action: allow
1 -
Sorry for the delay in responding zyman. That worked, though I really only needed to add a policy route for the SSL VPN scope at Site B. As it was, there was no return path for the connection, which I managed to overlook. Thank you!0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 246 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
