DUO Proxy and DAG with NAT

Hi there,

I have a question,

DUO Proxy and DOU DAG can have NAT ?

Stage 1
ISE—>Firewall NAT—> DUO Proxy
ISE request 192.X.X.X—FW NAT–>IP 10.X.X.X DUO Proxy

Stage 2

User–>Firewall NAT—>DUO DAG
User request 192.X.X.X—>Firewall NAT—>Real IP 10.X.X.X DUO DAG.

I hope be clear.


Hi @dorel,
For the Duo Authentication Proxy, as long as the traffic arrives to the Duo Authproxy on the expected IP (e.g., the IP that is configured in the config file) this should work fine. You would need to ensure the source IP does not change, however, as the Authproxy will not accept traffic from any IP it does not know about or that has not been configured in the config file.

For Duo Access Gateway, the DAG would normally be internet facing so there would be NATing in place between the clients and the DAG usually. As long as the networking is configured correctly this should be fine.