Different rules depending on SSLVPN user group ?
I'm trying to apply different NAT Rules to users users depending on if they are connected to SSLVPN or not and added to an user group (optionnal but would be useful).
Here is what I want to do :
#1 : If an SSLVPN user (origin = 10.10.xx.xx) added on group "my group" asked public IP 18.104.22.168 (80)
=> Redirect to private IP 22.214.171.124 (80)
#2 : If a public user (origin = any) / no group asked public IP 126.96.36.199 (80)
=> Redirect to private IP 188.8.131.52 (80)
What I did is 2 Access Rules :
#1 : From SSLVPN to DMZ - Source 10.10.xx.xx - Dest 184.108.40.206 (80) - Users Incl. "my group"
#2 : From WAN to DMZ - Source Any - Dest 220.127.116.11 (80)
And 2 NAT Policies :
#1 : Source 10.10.xx.xx - Original Dest 18.104.22.168 - Translated Dest 22.214.171.124
#2 : Source Any - Original Dest 126.96.36.199 - Translated Dest 188.8.131.52
#1 rule and NAT Policy have a lower priority number
But connected or not, everything goes through #2 rule and NAT Policy (0 packet on #1) ).
Does anyone know what I'm doing wrong ?
The user group field is only present for an access rule and not the NAT policy. If the traffic is allowed per the access rule, the NAT rule is chosen as per the priority.
Since the destination address is 184.108.40.206, whichever NAT policy is at a higher priority will get triggered.
You are using SSLVPN, so you should have direct access to the internal addresses. You can control which internal IP is allowed for a certain user/user group based on their VPN access.
Maxime Newbie ✭
Thanks for the information. The problem is that it is a public IP for a website, we cannot point to a private IP.
The idea behind all this is to check an Apache proxypass on 220.127.116.11 that redirects to 18.104.22.168 before setting the destination to 22.214.171.124.
But it made me think about a simpler solution, I'll just do it with the windows hosts file to point to local 126.96.36.199 or assign an other public address and do the same.
Thank you both, I think I'll be able to do what I want.1
what is the pool of your SSL-VPN users, which addresses you're assigning them for their SSL-VPN session in the Device Profile? If it's not in the 10.10.xx.xx range you'll probably have your answer.
If the NetExtender clients getting 10.10.x.x addresses assigned I would suspect it should work.
Thanks for your answer.
Yep, 10.10.xx.xx is the IP pool (address group) assigned to the users connected with NetExtender.
I disconnected / reconnected NetExtender multiple times to check.
Hmm, I just thought about something. Maybe 188.8.131.52 should be added to client routes on the default profile.
Sure thing, 184.108.40.206 should be in the routes and of course in SSL VPN Access. Maybe a Tunnel All would be easier, depending on the number of hosts you wanna route via SSL VPN.