Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Joshua_Snider
Participant
Jump to solution

Enable SNX on Cluster

Hey all,

I'm trying to enable mobile access on our HA (active/passive) cluster to be able to use SNX.  Right now I'm stuck on just getting the web page with the user/pass field.  Our topology looks something like this (w/ IPs changed)

Computers on the internal networks can open a webpage to 192.168.0.5 with the expected portal.  But I want remote users on the public internet to be able to access the portal page.  So I created a DNS entry vpn.ourdomain.com to resolve to a public IP address and during the first time setup wizard I told the portal to use that FQDN.  I created access control rules to allow users to access both the private IP (192.168.0.1/2/5) and the public address resolving from vpn.ourdomain.com.  When I'm at my home computer, I can resolve the name entry fine, but I cannot access the portal web page.

I'm thinking I have to configure the public IP on the firewall cluster, but I've no idea how to do that.  Anytime I go into Cluster Object > NAT > Advanced & tell it to statically xlate to the public IP address, I get a verification error saying the cluster cannot xlate its own address.

I've tried static NAT rules up the wazoo but nothing seems to be working.  I'm hoping that we don't have to change the bonded VIP to a public address b/c we'd have to rework our connection btw the firewall and edge router & burn some IPs, but if that's what we have to do then I guess we do have a maintenance window coming up...

Any ideas?  I'm sure I'm missing something stupid.

Also, first real use and post to Checkmates so I'm excited there's this community here!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Any chance the border router can perform the public > private NAT?

That seems like it might be the cleanest solution here.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Any chance the border router can perform the public > private NAT?

That seems like it might be the cleanest solution here.

0 Kudos
Joshua_Snider
Participant

I'll give that a try, thanks!

0 Kudos
Joshua_Snider
Participant

Performing NAT on the edge router worked, thanks for the suggestion!  Wish we could've done it on the f/w so that the config for mobile access isn't spread out so much, but c'est la vie

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events