Forum Discussion

Nimbostratus

Dec 07, 2014

Setting VPN to come from assigned IP pool

I've setup a full tunnel access on the APM and it works on my laptop I can access the regular applications. But when trying to get access to servers behind an internal firewall it fails. Whic...

application delivery

BIG-IP Access Policy Manager (APM)

LTM

security

Fallout1984

Cirrocumulus

Dec 07, 2016

As an alternative, you can set up a separate network access resource that uses its own SNAT pool (say, with a single address) for use by the team connecting over the VPN. For example... Have an access policy that has an authenticate step (ex. using Active Directory), then a followup step that checks the local user database for the user ID and its membership in a particular group. On a match, assign it a network access resource that uses the "special" SNAT, otherwise assign the one everyone else uses. In this case, the local user database isn't authenticated against, just checked for the user and their group which occurs in the background.

The unique SNAT can be used as an "allow" IP for accessing resources, as it will show up as the user's source address. Hopefully this makes sense, I just finished getting this working myself.

Lastly, sure you can do some group membership checks in Active Directory, but using the local user database gives you more control.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)