Skip to main content

Tutorial: Configure Global NAT Behavior Settings

Abstract

Use Access Server's global NAT settings to turn on or off NAT and specify interfaces or IP addresses for outgoing NAT operations.

Overview

This tutorial explains configuring the Global NAT behavior settings in Access Server. You will learn how to turn on or off NAT and specify interfaces or IP addresses for outgoing NAT operations.

Changing global NAT settings can be beneficial in the following scenarios:

  • Firewall Logging: When you need to log VPN clients' private IP addresses as traffic passes through the VPN server to the firewall and then to the internet.

  • Custom NAT Implementation: When implementing NAT behavior further in the connection chain before traffic goes to the public internet.

  • Load Balancing: When specifying different IP addresses or a range of addresses for outgoing NAT operations.

  • Multiple Network Interfaces: When needing to specify which network interface or IP address is used for outgoing NAT operations.

These adjustments help tailor the network behavior to specific administrative and security requirements.

  • An installed Access Server.

  • Console access and the ability to get root access.

  • Proper planning to avoid network disruptions during changes.

  1. Connect to the console and get root privileges.

  2. Use the following commands to change NAT settings.

    • Turn off NAT for outgoing public traffic (enabled by default):

      ./sacli --key "vpn.server.nat" --value "false" ConfigPut
      ./sacli start
    • Turn back on NAT and restore the default setting:

      ./sacli --key "vpn.server.nat" ConfigDel
      ./sacli start
    • Specify an interface or address for outgoing NAT:

      ./sacli --key "vpn.server.routing.snat_source.N"1 --value "<INTERFACE-ADDRESS>"2 ConfigPut
      ./sacli start

      1

      Where N is a number starting from 0, incrementing for multiple definitions.

      2

      Replace <INTERFACE-ADDRESS> with one of the following formats:

      • interface:address — Source NAT traffic using the IP address of a specified interface name.

      • interface:number — Source NAT using the IP address of the alias number of the specified interface name.

      • interface:begin-range:end-range — Source NAT traffic randomly using a range of IP addresses.

  1. NAT traffic through a specific IP address:

    ./sacli --key "vpn.server.routing.snat_source.0" --value "eth2:192.0.2.0" ConfigPut
    ./sacli start
  2. NAT traffic via an alias address:

    ./sacli --key "vpn.server.routing.snat_source.0" --value "eth0:4" ConfigPut
    ./sacli start
  3. NAT traffic using a range of public IPs:

    ./sacli --key "vpn.server.routing.snat_source.0" --value "ens192:203.0.113.18:203.0.113.22" ConfigPut
    ./sacli start
  4. Specify multiple rules for multiple interfaces:

    ./sacli --key "vpn.server.routing.snat_source.0" --value "eth0:203.0.113.18:203.0.113.22" ConfigPut
    ./sacli --key "vpn.server.routing.snat_source.1" --value "eth1:3" ConfigPut
    ./sacli start

Note

In our documentation, we use example IPv4 addresses and subnets reserved for documentation, such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.

Ensure you replace them with valid IPv4 addresses and subnets for your network(s).