cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

APM Automap inside Network Access VPN SSL which has NONE as SNAT Pool

Olowndez
Nimbostratus
Nimbostratus

Hello folks:

 

I have one APM v14.1.2 which is establishing VPN SSL tunnels. I am using the IPv4 lease pool segment 172.16.20.2 - 172.16.20.253. Such IPv4 segment is routed to reach some other segments in my network. Therefore, I am using None as the SNAT pool option in Access ›› Connectivity / VPN : Network Access (VPN) : Network Access Lists ›› vpn_for_me. As a result, every time a user connects via VPN, he uses one IP from the 172.16.20.X to reach other network segments. However, I need that the user utilises a Self IP or a SNAT pool to reach a specific server 10.10.10.10. In other words, I need to continue having such SNAT Pool NONE, but I need a SNAT Pool if the destination is a specific server. I am testing with an iRule event agent located before the Advanced Resource Assing agent, but I have not succeeded. Here's the iRule I am using:

 

when ACCESS_POLICY_AGENT_EVENT {

  if {([ACCESS::policy agent_id] eq "snat_inside_vpn") and ([IP::addr [IP::remote_addr] equals 10.1.20.17])} {

    snat automap

  }

}

 

Thanks in advance.

 

OL

3 REPLIES 3

Kin
F5 Employee
F5 Employee

It is possible to assign a SNAT dynamically in the VPE during authentication by configuring the branches. Click + , under Assignment, and Route Domain and SNAT Selection. But this wouldn't work once the user completes the Access Policy evaluation. If you want to change snat during the course of the user's vpn usage dynamically, how about creating a layered virtual server with the desired SNAT. Say listening on 10.10.10.0, and applying the SNAT on the VS. Remember to set for VLANs and Tunnels, to VS to listen on the connectivity profile

Kin
F5 Employee
F5 Employee

This article could be useful https://support.f5.com/csp/article/K74534456

Fallout1984
Cirrocumulus
Cirrocumulus

"I am using the IPv4 lease pool segment 172.16.20.2 - 172.16.20.253. Such IPv4 segment is routed to reach some other segments in my network."

 

Why not change the lease pool to a different range (one that's not in use in your network), and let an automapped SNAT address (a self IP) handle traffic to the 172.16.20.0/24 network? When the majority of our on-campus users switched to work-from-home, we had to add a larger lease pool which is non-routable (ie. only relevant in the VPN user <=> F5 connection) and is set to SNAT automap. For tech support groups who need their own set source addresses for VPN (to limit access to some devices to just their team), I've created separate SNAT pools for them to use.

 

Originally when VPN was set up we created self IPs for the lease pool range, but were later told it doesn't need them.