NAT Loopback for Mobile VPN Users

NAT loopback enables a user on the trusted or optional networks to connect to a public server with the public IP address or domain name of the server, if the server is on the same physical Firebox interface. If Mobile VPN users connect to your trusted or optional networks, and route Internet traffic through the VPN tunnel, you can configure NAT loopback for the traffic from the Mobile VPN clients.

You can configure NAT loopback with static NAT or with 1-to-1 NAT.

  • Mobile VPN with IKEv2, L2TP, and SSL — You can use static NAT or with 1-to-1 NAT to configure NAT loopback from the Mobile VPN clients.
  • Mobile VPN with IPSec — You must use 1-to-1 NAT to enable NAT loopback for traffic from the Mobile VPN clients because Mobile VPN with IPSec policies do not support static NAT actions.

To allow Mobile VPN users use NAT loopback, the mobile user and VPN policies that allow traffic from VPN clients must meet these requirements.

  • The client must use the VPN to route traffic to the server IP address.
    • If NAT loopback is configured as a static NAT action, the client must use the VPN to route traffic to the IP address used in the static NAT action
    • If NAT loopback is configured with 1-to-1 NAT, the client must use the VPN to route traffic to the NAT base IP address.
  • The allowed resources configured in the VPN settings must include the IP address or subnet for the static NAT, or the 1-to-1 NAT base IP address.
  • For Mobile VPN with IPSec, the allowed VPN resource in the Mobile VPN with IPSec profile and the Mobile VPN policy must include the NAT base IP address, or a subnet that includes the NAT base IP address configured in the 1-to-1 NAT settings.
  • The policy that has the static NAT or NAT base IP address in the To list must contain one of the following in the From list for traffic from a Mobile VPN user to match the policy:
    • The name of a Mobile VPN user.
    • A group name that the Mobile VPN user is a member of.
    • An IP address, subnet, or alias that includes or matches the virtual IP address assigned to the Mobile VPN user. The virtual IP address assigned to the user depends on the IP address pool configured for the VPN.
    • The Any alias.

If it is not possible to meet each of these requirements, the user can still use the internal, private IP address of the internal host to connect to it, if access to that host is permitted by the VPN configuration and policy. If the client does not use the Mobile VPN to route to the public IP address used in the Static NAT, or the 1-to-1 NAT base IP address, the client can use the regular Internet connection to connect to the public IP address of the server, if that incoming traffic is allowed by a configured policy.

See Also

About NAT Loopback