Forum Discussion
REddy
Nimbostratus
NimbostratusF5 APM/SSL VPN/Lease IP's range routing
Hello , We have a requirement with the routing based on the lease-ip range for 2 SSL VPN URL's. We have 2 VLANS (External and Internal). External VLAN listens to the traffic from the internet an...
Lucas_Thompson
Employee
EmployeeWhen you provision APM, BIG-IP adds two "hidden" virtual servers to handle the APM tunnel traffic so the admin doesn't have to explicitly set it up. To override it, the virtual server that accepts the traffic must be:
1- More specific than the hidden virtual's destination address of 0.0.0.0/0. Alternatively you can use a source address set to the lease pool net of the VPN users. Consult that link for details.
2- Connectivity profile (TMM's virtual PPP access-concentrator interface) is selected in the VLANs selector, or VLAN selector set to All Vlans.
Afterwards, TMM should select this virtual for traffic ingressing from the VPN users.
If you want to direct user traffic to different internal routers, there are a lot of different ways to do it:
- you can use multiple routing virtuals with multiple connectivity profiles (some users get one, some get another).
- you can use multiple routing virtuals and give your VPN users different lease pools and use the VS's Source selector so TMM selects these different VSs for different users.
- you can use an iRule that fires on ACCESS_ACL_ALLOWED and sets nexthop to the desired router based on some APM user session data (AD groups, names, etc).
