IIS REMOTE_ADDR

I don't know much about IIS, but some searching brings me http://blogs.msdn.com/david.wang/archive/2005/09/28/HOWTO-ISAPI-Filter-which-Logs-original-Client-IP-for-Load-Balanced-IIS-Servers.aspx, which seems to be pretty definitive (if you look at the comments) that there is no way on IIS to change that variable. The only way to make it be the real client IP is to have your IIS server receive traffic from the real client IP.

 

 

You also said that your ASM setup (ASM is something else I'm not an expert on) requires SNAT. I'm going to assume that that's true. In that case, even vlangroups will not help. So as far as I can see, there is no clean solution.

 

 

There's one wacky thing that *might* work, though, which is have the packets coming from the ASM be rewritten to have the real client IPs. One way to accomplish this *might* be via tagged vlans. The traffic flow would be:

 

 

1) Traffic comes in to your LTM from the Internet on, say, VLAN 100.

 

2) The LTM inserts a custom header with the real client IP

 

3) The LTM SNATs the traffic and sends it to the ASM on VLAN 100.

 

4) The ASM sends the traffic back to another, different VIP on the LTM on, say, VLAN 200.

 

5) The LTM, via an iRule, reads the custom header, and re-SNATs the traffic back to the original client IP, and sends it to the server on VLAN 200.

 

 

I think that this should work, and that auto-lasthop should make things just work for the return traffic.

 

 

This assumes your servers support tagged VLANs (which they really should). If they don't, then you might be able to accomplish the same thing with Route Domains on v10.x.

 

 

Again, I can't promise this is a solution, but it might be worth trying.