Different rules depending on SSLVPN user group ?
I'm trying to apply different NAT Rules to users users depending on if they are connected to SSLVPN or not and added to an user group (optionnal but would be useful).
Here is what I want to do :
#1 : If an SSLVPN user (origin = 10.10.xx.xx) added on group "my group" asked public IP 220.127.116.11 (80)
=> Redirect to private IP 18.104.22.168 (80)
#2 : If a public user (origin = any) / no group asked public IP 22.214.171.124 (80)
=> Redirect to private IP 126.96.36.199 (80)
What I did is 2 Access Rules :
#1 : From SSLVPN to DMZ - Source 10.10.xx.xx - Dest 188.8.131.52 (80) - Users Incl. "my group"
#2 : From WAN to DMZ - Source Any - Dest 184.108.40.206 (80)
And 2 NAT Policies :
#1 : Source 10.10.xx.xx - Original Dest 220.127.116.11 - Translated Dest 18.104.22.168
#2 : Source Any - Original Dest 22.214.171.124 - Translated Dest 126.96.36.199
#1 rule and NAT Policy have a lower priority number
But connected or not, everything goes through #2 rule and NAT Policy (0 packet on #1) ).
Does anyone know what I'm doing wrong ?
The user group field is only present for an access rule and not the NAT policy. If the traffic is allowed per the access rule, the NAT rule is chosen as per the priority.
Since the destination address is 188.8.131.52, whichever NAT policy is at a higher priority will get triggered.
You are using SSLVPN, so you should have direct access to the internal addresses. You can control which internal IP is allowed for a certain user/user group based on their VPN access.
Technical Support Advisor, Premier Services0
Maxime Newbie ✭
Thanks for the information. The problem is that it is a public IP for a website, we cannot point to a private IP.
The idea behind all this is to check an Apache proxypass on 184.108.40.206 that redirects to 220.127.116.11 before setting the destination to 18.104.22.168.
But it made me think about a simpler solution, I'll just do it with the windows hosts file to point to local 22.214.171.124 or assign an other public address and do the same.
Thank you both, I think I'll be able to do what I want.1
what is the pool of your SSL-VPN users, which addresses you're assigning them for their SSL-VPN session in the Device Profile? If it's not in the 10.10.xx.xx range you'll probably have your answer.
If the NetExtender clients getting 10.10.x.x addresses assigned I would suspect it should work.
Thanks for your answer.
Yep, 10.10.xx.xx is the IP pool (address group) assigned to the users connected with NetExtender.
I disconnected / reconnected NetExtender multiple times to check.
Hmm, I just thought about something. Maybe 126.96.36.199 should be added to client routes on the default profile.
Sure thing, 188.8.131.52 should be in the routes and of course in SSL VPN Access. Maybe a Tunnel All would be easier, depending on the number of hosts you wanna route via SSL VPN.