Forum Discussion
Nimbostratusdont want to use snat automap in network access
Hi,
I am using network access vpn with snat automap feature in APM-network access. now as per requirement,to visible actual client ip in firewall from sslvpn connection is made. but at present firewall sees only bigip selfip because of automap feature. is there any best possible way to achieve that?
17 Replies
Samir_Jha_52506Noctilucent
You can use SNAT automap with X-forward profile to get client IP.
Harry1ok, if I will use X-forwarder then I will be able to see distributed leas pool ip of that client in my firewall right?
- Harry1
I enabled x-forward in http profile but actual client ip is not showing . appreciate any help here.
IainThomson85_1Cumulonimbus
The X-Forward-For IP will only insert the "True ip" in the HTTP Header, it won't change the IP that the firewall sees (Unless it can use Layer7 information)
Why are you using SNAT AUtomap in the firstplace ? Is this to get round a routing issue in a One-Arm deployment?
Can you create a two-arm deployment so Automap isn't required ?
- boneyard
MVP
i believe you have been on the wrong path for a while, you are talking about APM SSL VPN client users right?
to disable SNAT for them use: Access Policy ›› Network Access : Network Access List ›› >> Network Settings: SNAT Pool to None
Domel_163525Hello guys,
I'm having the same issue as the author of this post.
F5 deployed with 2x arms (Internal & External)
If I have AutoMap enabled for APM VPN, every client is NATed to F5s Internal Self IP and all is working fine.
I need to disable it so clients are not NETed.
I have changed it to "None", unfortunately it stopped working (nothing is pingable anymore).
Do I need to get anything else configured on the F5 (additional VLAN, etc) or with having correct routing in place it just should work?
- Eholo_369778
Hello,
I have the same question and same infrastructure as Domel and the author, actually I don't want to use the SNAT on network access because in my Infrastructure we would like to know what have been done on network (src-ip provide by the VPN and not the SNAT). I know it is possible by using the F5 as the gateway but I can't change the infrastructure. SNAT Pool is also a solution by spliting the network access by policy but the client want to know exactly what have been made on the network and what src IP was given without changing the infrastructure. Is it possible.
Cordially.
- Domel_163525
Ok, I have figured it out and it worked like a charm.
Nothing else needs to be done apart from routing.
HJMartini_13991And what's the Solution for that problem?
- Domel_163525
On the F5 you just need to change it from AutoMap to None as per instruction below:
'to disable SNAT for them use: Access Policy ›› Network Access : Network Access List ›› >> Network Settings: SNAT Pool to None'
But from the routing side you need to make sure that the subnet/IP range you allocate for VPN-Pool is reachable from you network.
If I would like to use my 2x arm deployment as an example:
Subnet1 (10.1.1.0/24) - Internal; Subnet2 (10.2.2.0/24) - External; Subnet3 (192.168.1.0/24)- VPN-Pool;
On the router in you network a route is required saying to get to Subnet3 (VPN-Pool) go via self-IP (or floating self-IP if you have a F5 cluster configure) of the F5 Internal VLAN
ip route 192.168.1.0 255.255.255.0 10.1.1.252 (where 10.1.1.252 is the F5 floating self-IP)
That was really it. You don't need to do anything else.
As many said previously it all depends on your network and infrastructure but you should get a general idea - F5 is a router on it's own.
