Confusion on SNAT and source IP/Ports

Hey Adam - I would suggest a few things to think about that may help resolve your issue, possibly without doing anything related to network / server reconfiguration. First, logging source IP address does *not* make a deployment more secure in and of itself. In fact, by the time the source address is written to the log, the connection is already established and it provides no security benefit other than its historical security audit/forensics value. The process of actually using SNAT combined with the security features of the LTM (or ASM, or any security device for that matter), provides the real security value to the application. In fact, some would say the "S" in this acronym stands for "Secure" (while others might say Source).

 

 

All that said, the source IP address is changed when you use SNAT, but the X-FWD-FOR remains the original source address. Simply change your logs to show that parameter instead of SrcIP. Yet another option is using the LTM logging to do whatever security forensics you need to do or transfer this information to a syslog server to analyze. Another option is keeping a single NIC/subnet addressing scheme on your servers and making the default gateway the LTM (using two interfaces and using routes with metrics on Windows as it seems you are describing in your question is a recipe for disaster IMO - or at least a pain to manage).

 

 

In short, getting the source IP to show up in the source IP field of the Windows logs doesn't provide any security benefit, thus isn't likely to be worth the trouble of a server/network reconfiguration or the performance/management headaches that creates.