Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPTables NAT on a NAC Appliance

Has anyone had success performing a static NAT via a CAS appliance using IPTABLES? I recently deployed a SSL VPN / NAC solution using "restrict access to vlan X" on the SSL VPN client group policy and used a tunneled default route on a transit interface to get all SSL VPN traffic through our inband CAS. It works great, however this setup does not work well for clientless VPN traffic. Because the of the tunneled default-gateway the clientless traffic takes the same path through the transit fw interface, through the untrusted/trusted cas interface and then back out the "inside" interface towards the internet/site-to-site endpoints. It gets broken as the return path does not go back through the "inside" interface becasue the orginal source of the traffic is the firewall transit interface that is direclty connected. The only way I can figure to correct this is to source NAT this traffic after it leaves the SSL VPN transit interface, but before it his the inside interface. My inside devices are a 3750 stack which does not support NAT so is the IPTABLES NAT an option anyone has used before?

CreatePlease to create content