12.2 Configuring Source NAT for SSL VPN

You can configure the source NAT (SNAT) for SSL VPN Enterprise mode to change the dynamically assigned client addresses to the address of the SSL VPN server before sending them to the application server. The application server can then use the source address in the packets to send them back to the SSL VPN server, which can then reassign the client address and send the packets on to the client. This is the best approach if you are using SSL VPN for TCP and UDP applications. Other applications, such as ActiveFTP and TFTP, cannot work in this type of environment.

To establish this type of routing, you need to create an entry in the iptables rule on the SSL VPN server.

12.2.1 Configuring SNAT for Enterprise Mode

  1. In the Administration Console, click Devices > SSL VPNs > Edit.

    The Server configuration page is displayed.

  2. Select Advanced Configuration from the Gateway Configuration section.

    The SSL VPN Advanced Configuration page is displayed.

  3. If the SSL VPN server is a member of a cluster, the Cluster Member option is displayed. The SNAT Entry configuration is specific to different cluster members. Select the IP address of the cluster member for which you want to configure the SNAT entry.

  4. To configure a new SNAT entry click New.

    The New dialog box opens.

  5. Specify the information in the following format:

    --protocol (-p): This is an optional parameter. To specify a protocol, select a protocol from the list. The protocol can be ANY, UDP, TCP or ICMP. By default, the ANY option is selected.

    --source (-s): Specifies the IP address of the subnet pool where SSL VPN assigns the IP address to each client in Enterprise mode.

    NOTE:This field is populated by the Enterprise mode IP address by default. But, you can edit the value in this field if you want to use this field to add iptables SNAT entries for other cases in Kiosk mode such as for full tunneling.

    --destination (-d): This is an optional parameter. You can either specify the host IP address or the destination IP address or specify the IP address and the network mask combination in the following format:

    <destination>/<SubnetMask>

    The Network mask should be in the dotted decimal format only.

    --destination-port (--dport): This is an optional parameter. You can specify the destination port.

    -j SNAT --to-source (--to): This is a mandatory parameter. Specify a valid IP address of SSL VPN server.

    Provide additional parameters(Will be appended to command): You can add any other parameters depending on your requirements. But, these parameters will not be validated.

    Click OK.

    The new SNAT entry is displayed in the following format:

    iptables -t nat -A POSTROUTING -p <Any> s <openVPNSubnetIP> -d <destinationIP> --dport <destinationPort> -j SNAT --to <privateIPSSLVPN> <additional parameters>

  6. To save your modifications, click OK, then click Update on the Configuration page.

12.2.2 Ordering SNAT Entries

You can configure SNAT rules for a user’s role. However, the SNAT entries are process based on their order. If you want to change the order of the rules based on their priority, you can click the up or down arrows to move them up or down respectively.