SSL VPN - Access to internal resources without SNAT

Question

I have a single-arm F5 (one VLAN for both external and internal IP address ranges). The internal, private IP addresses are assigned to VPN clients. The security team needs to build firewall rules around those private DHCP addresses, so SNAT isn't an option.&nbsp;
The default route on the F5 points to the public IP address of the shared VLAN.&nbsp;
When I configure the Network Access with Proxy ARP, internal resources see the client IP as showing up as the public local (non-float) self-IP address. &nbsp;
When I disable Proxy ARP, the internal resources see the DHCP address, but I'm unable to connect to them;  no ARP entries on the router with client MAC/IP addresses. External resources are reachable (Split tunnel).&nbsp;
Anybody have suggestions on what to try next?&nbsp;

bigd_300005 · Answer

Have you looked into using F5's ACLs into doing what the security team is trying to do with a firewall? Then do your policy based off user name instead of IP addresses.&nbsp;
Otherwise this might work: https://support.f5.com/csp/article/K4816&nbsp;

m_quevedo · Answer

Get IP Adresses from DHCP For APM VPN Clients / Network Access Tunnels&nbsp;

Forum Discussion

SSL VPN - Access to internal resources without SNAT

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

DevCentral Resources

OWASP Resources for Security Education and Training

APM Security: Protecting Internal Resources Using ACLs

F5 Resources for COVID-19

OWASP Tactical Access Defense Series: Unrestricted Resource Consumption

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS