A user can get IP from SSL VPN network extension, but he can’t ping the loopback interface and the physical interface besides the interface used for SSL VPN gateway.
This is the topology:
There is no policy restriction configured from other zone to local zone. For example, when the user get IP 172.16.251.110 from SSL VPN network extension, he can’t ping the physical interface with IP 17184.108.40.206 and the loopback interface with IP 172.16.20.1.
But he can ping the device (172.16.251.253) which is in LAN.
The related configuration for SSL VPN:
network-extension netpool 172.16.251.100 172.16.251.200 255.255.255.0
network-extension mode manual
network-extension manual-route 172.16.252.0 255.255.252.0
network-extension manual-route 172.16.251.0 255.255.255.0
network-extension manual-route 172.16.120.1 255.255.255.255