Forum Discussion
NimbostratusSetting VPN to come from assigned IP pool
I've setup a full tunnel access on the APM and it works on my laptop I can access the regular applications.
But when trying to get access to servers behind an internal firewall it fails. Which what I would expect, but the IP address it's trying to connect from as the source is the internal IP of the F5 Device and not the IP address I've assigned to the laptop.
How can I setup the connection so that source is the IP address I've assigned to my laptop?
I believe the answer lies wit he SNAT pool which is currently set to Auto Map but I've not been able to understand how to configure it.
2 Replies
Seth_CooperEmployee
In the Network Access Resource make sure to set the SNAT to None. This should fix your issue. You also need to make sure your network knows how to get back to the F5 so you will need to add some routing for the lease pool subnet on your network.
Seth
Fallout1984Cirrocumulus
As an alternative, you can set up a separate network access resource that uses its own SNAT pool (say, with a single address) for use by the team connecting over the VPN. For example... Have an access policy that has an authenticate step (ex. using Active Directory), then a followup step that checks the local user database for the user ID and its membership in a particular group. On a match, assign it a network access resource that uses the "special" SNAT, otherwise assign the one everyone else uses. In this case, the local user database isn't authenticated against, just checked for the user and their group which occurs in the background.
The unique SNAT can be used as an "allow" IP for accessing resources, as it will show up as the user's source address. Hopefully this makes sense, I just finished getting this working myself.
Lastly, sure you can do some group membership checks in Active Directory, but using the local user database gives you more control.
