authentication based on client ip address on web server

When you enable X-Forwarded-For (XFF) on the http profile, it stores the original client address in the X-Forwarded-For header in the HTTP request. It is up to the web server to do something intelligent with that information.

If you are using IIS are your webserver, then the ISAPI plug-ins are downloadable from the BigIP management GUI (scroll down on the default page after logging in). This allows the webserver to recognise the field and use it for logging purposes. The configuration required on other webservers varies, and google is your friend there.

However, as the other person to reply has noted, there's possibly no need to change the address at all. The only reason to use a SNAT (or SNAT automap) is to compel the traffic to return back through the LTM. If your network routing already does that, (ie, the default route on the webservers is via the LTM), then there's no need for a SNAT at all, and you can simply set destination address translation ('Address Translation') in the virtual server GUI to disabled.