NetIQ Documentation: NetIQ Access Manager Appliance 4.0 SSL VPN Server Guide - Configuring Route and Source NAT for Enterprise Mode

2.2 Configuring Route and Source NAT for Enterprise Mode

In the Enterprise mode, the SSL VPN assigns IP addresses to each client from the subnet specified in the configuration. The values specified in the OpenVPN Subnet Address and OpenVPN Subnet Mask fields determine the IP addresses that are assigned to the clients. Make sure that the assigned IP address and the IP address of the client do not match.

For more information on configuring the IP address, see Section 2.1, Configuring the IP Address, Port, and Network Address Translation.

The packets from these clients reach the application server with the IP address of the client as the source address. The response packets need to be routed back to the SSL VPN, which sends them on to the clients. You can solve this routing problem in one of the following ways:

2.2.1 Configuring the OpenVPN Subnet in Routing Tables

If you have a gateway for your network between the application server and the SSL VPN, you can configure the gateway to send the dynamically assigned IP addresses from the OpenVPN address pool to the SSL VPN. This is the best routing approach because most applications, including ActiveFTP and TFTP, can work in this type of environment. To establish this type of routing, you need to add a static route to your network’s routing infrastructure so that traffic to the OpenVPN subnet pool of addresses is sent via the SSL VPN gateway.

2.2.2 Configuring Source NAT

You can configure Source NAT to change the dynamically assigned client addresses to the address of the SSL VPN before sending them to the application server. The application server can then use the source address in the packets to send them back to the SSL VPN, which can then reassign the client address and send the packets on to the client. This is the best approach if you are using the SSL VPN for TCP and UDP applications. Other applications, such as ActiveFTP and TFTP, cannot work in this type of environment. To establish this type of routing, you need to create an entry in the iptables file on the SSL VPN. If the OpenVPN Subnet Address option is set to 10.8.0.0/16 and the IP address of the SSL VPN is 10.16.12.247, the entry should be similar to the following:

iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j SNAT --to 10.16.12.247

Restart the SSL VPN services after the iptables file has been modified.

IMPORTANT:This simple solution only works if you are not using iptables to translate ports of other applications or Access Manager components. For a solution that works with multiple components, see Configuring SUSE Firewall for the SSL VPN Component in Access Manager.

2.2.3 Configuring Source NAT for SSL VPN

You can configure the source NAT (SNAT) for the SSL VPN Enterprise mode to change the dynamically assigned client addresses to the address of the SSL VPN before sending them to the application server. The application server can then use the source address in the packets to send them back to the SSL VPN, which can then reassign the client address and send the packets on to the client. This is the best approach if you are using SSL VPN for TCP and UDP applications. Other applications, such as ActiveFTP and TFTP, cannot work in this type of environment.

To establish this type of routing, you need to create an entry in the iptables rule on the SSL VPN.

Configuring SNAT for Enterprise Mode

In the Administration Console, click Devices > SSL VPNs > Edit.

The Server configuration page is displayed.
Select Advanced Configuration from the Gateway Configuration section.
If the SSL VPN is a member of a cluster, the Cluster Member option is displayed. The SNAT Entry configuration is specific to different cluster members. Select the IP address of the cluster member for which you want to configure the SNAT entry.
To configure a new SNAT entry, click New.
Specify the information in the following format:

--protocol (-p): This is an optional parameter. To specify a protocol, select a protocol from the list. The protocol can be ANY, UDP, TCP or ICMP. By default, the ANY option is selected.

--source (-s): Specifies the IP address of the subnet pool where SSL VPN assigns the IP address to each client in Enterprise mode.

NOTE:This field is populated by the Enterprise mode IP address by default. However, you can edit the value in this field if you want to use this field to add iptables SNAT entries for other cases in Kiosk mode, such as for full tunneling.

--destination (-d): This is an optional parameter. You can either specify the host IP address or the destination IP address or specify the IP address and the network mask combination in the following format:

<destination>/<SubnetMask>

The network mask should be in the dotted decimal format only.

--destination-port (--dport): This is an optional parameter. You can specify the destination port.

-j SNAT --to-source (--to): This is a mandatory parameter. Specify a valid IP address of SSL VPN.

Provide additional parameters(Will be appended to command): You can add any other parameters, depending on your requirements. However, these parameters are not validated.

Click OK.

The new SNAT entry is displayed in the following format:

iptables -t nat -A POSTROUTING -p <Any> s <openVPNSubnetIP> -d <destinationIP> --dport <destinationPort> -j SNAT --to <privateIPSSLVPN> <additional parameters>
To save your modifications, click OK, then click Update on the Configuration page.

Ordering SNAT Entries

You can configure SNAT rules for a user’s role. However, the SNAT entries are processed based on their order in the list. If you want to change the order of the rules, you can click the up-arrow or down-arrow to move them up or down.