Page 1
SSL312 Firmware version 2.0.03
25.0.0.50
25.0.0.254
25.0.0.2
SSL312
SSL VPN Tunnel
192.168.251.3
SSL312 VPN Static Route
Remote
client
FVX538
Internet
FVX538 Firmware version 2.1.2-7
This article illustrates the Split Tunnel SSL VPN and how to configure a static route on both the
firewall and the SSL312 to allow the remote clients to access other PCs through the SSL VPN
tunnel.
Issue:
SSL VPN tunnel is established, but remote client cannot ping or access other devices on the
SSL312 VPN network.
Cause:
By default, the SSL VPN is configured to assign the remote VPN clients with IP addresses from
the range of 192.168.251.1 through 192.168.251.254. This range of IP address may not be in the
same subnet as your local network or as your SSL312.
Resolution:
1) Add a client route on the SSL312 to allow the VPN Tunnel client to connect to the
corporate network using the VPN tunnel.
2) Add a client route on the corporate network's firewall to forward traffic intended for the
VPN clients to the SSL VPN gateway
Page 2
This is the default IP address range that the SSL312 will be giving out to its remote VPN clients:
NOTE: By default the SSL VPN tunnel is set to use Split Tunnel – this means that the SSL312
does not know how to route traffic to the rest of the network without a static route defined. Unless
you have configured your SSL312 to be in the same subnet as the VPN Client range, you will
need to add a static route on the SSL312 before you can access other devices on the network.
To add a route on the SSL312, do the following:
1) Log into the Administrative Portal
2) Select “VPN Tunnel” under the “Access Administration” section
3) Scroll down to the “Add Routes for VPN Tunnel Clients”, enter the network address of a
local area network or subnet in the Destination Network field (i.e.: 25.0.0.0)
4) Enter the subnet mask of the local area network in the Subnet Mask field
5) Click “Add Route” to add the route on your SSL312
In this example, the SSL312 is connected behind the FVX538 VPN Firewall router, which has a
LAN subnet of 25.0.0.x, therefore we need to add a static route to this subnet so that the VPN
clients on the 192.168.251.x subnet can talk to the rest of the PC and devices behind the
FVX538.
Page 3
Furthermore, another static route is needed on the firewall or FVX538 to route external traffic to
IP address of the
SSL312
New IP address
given to remote
client by the SSL312
the SSL312. To do this, we are adding the SSL VPN client subnet and route that traffic through
the IP address of the SSL312 itself.
Fdsf
At this time, once you have established the SSL VPN tunnel, you will see an addition IP address
listed:
With the routes added on both the SSL312 and the firewall router, you are now able to ping
through a local network:
Page 4
New route added
Routing table BEFORE VPN tunnel
Routing table AFTER VPN tunnel established
Loading...