F5 LTM SNAT features Question

Hi AhmedMS 

I'd say Stefan_Klotz has the correct answer: to SNAT or not to SNAT is mostly a question of making sure the response traffic comes back through the F5 box.

In most green field scenarios what I like to do is to get the server vlan "behind" the F5, and create an "IP forwarding" virtual server so that F5 can route traffic properly. That way you may configure your servers' default gateway with F5's address.

Not using SNAT ensures you send unchanged layer-3 source IPs to the real server. Maybe the server has specific rules depending on the source IP, or you just want proper logging.

If you do need SNAT, and as Stefan mentioned, the HTTP protocol has the option of using the XFF header, which you can use to insert the original source IP. You can activate that directly in the HTTP profile in F5 (the header will be called "X-Forwarded-For"), or you can get creative with the header name with an iRule - see https://my.f5.com/manage/s/article/K4816.

Note that to insert XFF in HTTPS traffic, you need to decrypt traffic, You need at least a Client-SSL profile and an HTTP profile attached to the virtual server; if server traffic is to be encrypted you must add a Server-SSL profile.

Some protocols (not many that I know of...) have similar features to XFF. For instance, SIP uses the "Via" and "Route" headers.

/Mike