Accessing Resources Across a Site-to-Site Tunnel when Connected via SSL VPN

NEP
NEP Posts: 74  Ally Member
First Comment Friend Collector Second Anniversary
edited September 2022 in Security
Hello,

I have a question about accessing resources across a S2S tunnel when connected to an SSL VPN.

Currently, we have multiple sites. They are all connected with an IPSEC VPN. When on site, a user can access any resource at any site on any port (that is allowed by policy).

Users working remotely connect with an SSL VPN (not in Full Tunnel Mode) to their respective site. Recently, we moved a user from one site to another. This was done because of an issue with that device's firmware. Ultimately, it is a better connection for them, so we left them. Anyway, now the user can't access a certain resource from another site. A resource at the site that they used to connect to. That said, it's not specific to this resource. We just don't have many people doing this. When connected with the SSL VPN, only resources (eg. subnets) at that site are accessible to the user.

My question is, can the system be configured to allow this access? Via Security Policy? Say the firewall at Site A hands out 10.10.10.x addresses for SSL VPN, Site A internally hands out 192.168.90.x addresses, and Site B hands out 192.168.70.x addresses. What must be configured to allow a 10.10.10.x (SSL VPN > Site A) IP to access 192.168.70.x (Site B ) resources? Is it possible?

user -> (SSL VPN) -> Site A firewall -> (IPSEC tunnel) -> Site B firewall -> resource

Thanks and have a good weekend!

Accepted Solution

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓
    You need to configure route and security policy on both sites,
    Site A:

    1.Create a policy route (Network > Routing > Policy Route)
    source: 10.10.10.x
    destination: 192.168.80.x(SiteB)
    next-hop: VPN tunnel, select the S2S tunnel to SiteB

    2. Security Policy (Security Policy > Policy Control)
    From: SSL_VPN
    To: IPSec_VPN
    source: 10.10.10.x
    destination: 192.168.80.x(SiteB)
    action: allow

    3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
    Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.

    SiteB:
    1. Create a policy route (Network > Routing > Policy Route)
    source: 192.168.80.x(SiteB)
    destination: 10.10.10.x
    next-hop: VPN tunnel, select the S2S tunnel to SiteA

    2.Security Policy (Security Policy > Policy Control)
    From: LAN
    To: IPSec_VPN
    source: 192.168.80.x(SiteB)
    destination: 10.10.10.x
    action: allow

All Replies

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Answer ✓
    You need to configure route and security policy on both sites,
    Site A:

    1.Create a policy route (Network > Routing > Policy Route)
    source: 10.10.10.x
    destination: 192.168.80.x(SiteB)
    next-hop: VPN tunnel, select the S2S tunnel to SiteB

    2. Security Policy (Security Policy > Policy Control)
    From: SSL_VPN
    To: IPSec_VPN
    source: 10.10.10.x
    destination: 192.168.80.x(SiteB)
    action: allow

    3. SSL VPN Network (VPN > SSL VPN > Access Privilege)
    Edit the SSL VPN policy, add 192.168.80.x(siteB) into the Network List.

    SiteB:
    1. Create a policy route (Network > Routing > Policy Route)
    source: 192.168.80.x(SiteB)
    destination: 10.10.10.x
    next-hop: VPN tunnel, select the S2S tunnel to SiteA

    2.Security Policy (Security Policy > Policy Control)
    From: LAN
    To: IPSec_VPN
    source: 192.168.80.x(SiteB)
    destination: 10.10.10.x
    action: allow

  • NEP
    NEP Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited September 2022
    Sorry for the delay in responding zyman. That worked, though I really only needed to add a policy route for the SSL VPN scope at Site B. As it was, there was no return path for the connection, which I managed to overlook. Thank you!

Security Highlight