Forum Discussion

Juraj's avatar
Juraj
Icon for Cirrus rankCirrus
Mar 18, 2020

Selective SNAT in VPN

I have a fully working VPN (Network Access) on BIGIP; very easy to set tup.

 

I have an RFC1918 IP pool 10.10.1.1-10.10.1.254 allocated for the VPN clients, and my BIGIP has a couple of network interfaces. If I enable AutoMap, everything works nicely.

 

Question: is it possible to do a selective SNAT based on where the client wants to go? If yes, how?

 

I'm trying to keep the RFC1918 IPs when clients talk to internal resources in our network, but I would like to SNAT only the traffic going to the Internet (it leaves through a specific interface that has it's own self-ip).

BIG-IP Access Policy Manager (APM)
network access
security
snat
vpn
  • jemas's avatar
    jemas
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2020
    • Because the NAT device at the destination network keeps a NAT table, and when it translates it back, the VPN server responds on the ARP for the IP address and then the VPN server then tunnels it back to the VPN client. The same as any device on your network contacts the VPN client really. – ... official site

     

  • Shaun_Simmons's avatar
    Shaun_Simmons
    Icon for Employee rankEmployee
    Mar 18, 2020

    You could simplify the configuration and not use a lease pool. Have all client connect to one SNAT IP via a SNAT pool, applied to the VIP, instead of "AutoMap". --Local -> Address Translation --> SNAT Pool. That way you take out a layer of "complexity" knowing it is not a DHCP lease issue.

     

    Network Configuration

    --If you have a SELF IP for every Subnet needed for all of your applications/VIPs, then the clients will be able to route to where they need, as long as they have an IP that is one of the Self IP subnets you have configured. The F5 is a Layer 2("switch"), if it does not own the .1, where the routing will traverse the respective Self IP, versus the Default Route, if an IP is not matched.

     

    iRule idea --

    Try "when HTTP_RESPONSE_RELEASE" versus "when CLIENT_ACCEPTED"

    • Juraj's avatar
      Juraj
      Icon for Cirrus rankCirrus
      Mar 18, 2020

      I'm sorry, I'm a bit confused now. I'm configuring Network Access VPN for EDGE client. HTTP_RESPONSE_RELEASE doesn't get triggered either by the VPN client.

       

      To be honest, I do not follow what you're trying to say.

       

      This is my situation:

      • I have Network Access VPN for Edge clients
      • I do not have problems with DHCP, the clients get their IPs assigned properly once they connect to VPN; the IP is from 10.10.1.1-10.10.1.254, routable in our network, but not routable in the Internet
      • everything works without any problems, if I apply AutoMap or SNAT-pool to the Network Resource.

       

      My problem is that I want to SNAT only when they go to the Internet, i.e. their traffic leaves via a specific BIGIP interface

       

      • Juraj's avatar
        Juraj
        Icon for Cirrus rankCirrus
        Mar 19, 2020

        My apologies, I do appreciate you're trying to help me, but with all due respect I have no idea what you're talking about. It doesn't make sense to me.

    • Juraj's avatar
      Juraj
      Icon for Cirrus rankCirrus
      Mar 18, 2020

      Thanks for your response Shaun. I started with that article first, before posting my question here. Unfortunately, that doesn't provide a desired solution.

       

      CLIENT_ACCEPTED gets triggered only when the VPN client is connecting to VPN VS, but not after the VPN client is already connected and has the VPN IP assigned from the pool.

       

      LB_SELECTED doesn't get triggered at all, since there's no back-end server assigned to a VPN VS.

       

      So, unless I'm doing something wrong, the above link doesn't provide the expected result.