WAN1 port has got 5 different IPs from the same block. I noticed SSL-VPN is active all of those IPs, but I wish for it to only reply to the main address.
Are you forced to write a specific firewall policy, or is there a way to only bind SSL-VPN service to a single, specific IP address?
As far as I know you can only select an interface and if that interface has multiple IPs it will work on all of them.
I would suggest using a loopback interface for better security and with that you can also restrict it to one address.
You have two options
( the recommended one) ,use a loopback interface ,create a loopback interface with routed public ip ,or if you do not have a routed pool ,just do NAT via VIP that maps one of your external interface ip to your loopback ip and after that you can control the access to the vpn on the firewall policy ( good advantage)
Use a local in policy, create a local in policy that block the access to the relevant external IP’s that you want to prevent the vpn connectivity on them.
It sounds like you have configured 4 secondary IPs on your WAN interface, usually this is not best-practice. What is the reason you configured it this way?
Create a loopback interface. Put your SSLVPN service on that loopback. Set up a VIP honoring inbound traffic to your VPN port from only one of those IPs. Point the VIP to your loopback interface where the VPN is waiting for connections.
use loopback and set it’s policy to use a nat pool of the IP you want for SSLVPN
Loopback interface and NAT Policy
Check the Current SSL-VPN Configuration:
Update the Firewall Policy:
Optional: Restrict Listening Ports (If Needed):
config vpn ssl settings set port end
this
Create a loopback interface. Create a virtual ip object to map 1 public IP address to the internal loopback ip address and adjust your policy
This is the answer. Use the loopback with VIP
We chose to split several services on different IPs, and match different DNS hostnames to them… easier to manage if suppressing an IP does not disrupt other services that IP is not associated with.
Maybe a virtual interface associated with each public IP would be a better solution?
set source-ip
That’s not a thing for SSL-VPN.
To elaborate even further, use security profiles on the policy from WAN to loopback and have a more secure sslvpn overall. Combine this with local in policies, geo blocking and so on…
Why don’t you just use VIPs without configuring everything as a secondary IP?
To add even more on top of all of this, see my SSL VPN config here
This has a loopback with the VIP, plus blocks many ASN of server rental companies, auto blocks failed log in attempts, uses the ISDB, blocks by geography etc.
This will really limit the amount of brute force attacks on your log in
Conflicting ports, i.e. differente HTTPS servers, FTP servers, etc
That does not make sense. To use one of your public IPs in a VIP you do not need to configure that public IP as a secondary IP.