cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

Mobile Access with NAT in the firewall

Hello everyone,

 

After reading so many post here, I decided to join the community and this is my first post. 

 

I'm configuring a Mobile Access  from scratch. The MAP (Mobile Access Portal) is accessible through all interfaces. In the external interface we have private IP address configured, and so the ISP router (let's say 10.0.0.0/24. And .1 is the cluster floating IP, .1 and .2 are the gateway's IPs and .5 is the router). The router just forward all the traffic from a certain public IP address range (let's say 70.0.0.0/29).

 

I would like the MAP be accessible through one of the public IPs (70.0.0.1 for example). I tried several NAT rules to translate the 70.0.0.1 to the floaing IP address of the cluster (10.0.0.1). Also I tried to use the dynamic Object "LocalMachine".

 

From the traffic captures that I performed, I see that:

  • When I access to the floating IP address (https://10.0.0.1/sslvpn), the portal is reachable.
  • When I access to the public IP address (https://70.0.0.1/sslvpn), I see that the firewall is performing the NAT in the incoming traffic, but it is answering with RST packet to every SYN packet that it receive from this connection.

 

Any help?

0 Kudos
2 Replies
Highlighted

Re: Mobile Access with NAT in the firewall

How are clients behind the gateway reaching the internet? Is the router doing a hide-NAT? If yes, best would be to also let it do the inbound NAT!
0 Kudos
Highlighted
Ivory

Re: Mobile Access with NAT in the firewall

Hello,
The ISP router is just "routing" the traffic to the firewall. It's the firewalls who are NATing all the traffic.

I found a workaround by configuring the public IP address as loopback in the gateways. This allows the firewall to answer properly to the MAP or other VPNssl connection (VPN capsule or Mobile Client).
0 Kudos