Hi We are using an APM policy to reach our local resources. After clients connected, we can reach their machines to help them to solve IT related issues via RDP or MSRA. Here is the my question; We need to make SNAT them to connect some specific hosts since these specific hosts have no idea (route) our lease pool network. When I try to use basic LTM iRule achieving this, I saw nothing is changed. Packages goes through with client's PPP tunnel IP address which assigned by Network Access Profile. When I enable SNAT (Auto Map) feature on Network Access Profile, RDP and MSRA is not working. when CLIENT_ACCEPTED { log local0 "The Client IP is [IP::client_addr] and the node IP is [IP::remote_addr]" snat 10.34.23.102 }

In order to get iRules to fire on traffic traversing SSLVPN, you need to use "Related iRules" configuration from the main APM virtual. You can't do this in the GUI, you have to use tmsh. like: tmsh modify ltm virtual xxxx related-rules { yyyy } where xxxx is your virtual server and yyyy is the irule name you want. This function is pretty new, and I haven't personally tested very much with it. But what happens is that the irule you've specified in "related-rules" gets automatically pushed into the special Network Access listener virtual servers. It's avilable in: 11.4.1 hf9+12.011.6.0 hf6+11.5.3 hf2+ I think also that the system may need to be restarted for these changes to take effect (bigstart restart or reboot).

Forum Discussion

MichaelJordan_1

Nimbostratus

Dec 13, 2015

Network Access without SNAT

We are using an APM policy to reach our local resources. After clients connected, we can reach their machines to help them to solve IT related issues via RDP or MSRA. Here is the my question; We need to make SNAT them to connect some specific hosts since these specific hosts have no idea (route) our lease pool network.

When I try to use basic LTM iRule achieving this, I saw nothing is changed. Packages goes through with client's PPP tunnel IP address which assigned by Network Access Profile.
When I enable SNAT (Auto Map) feature on Network Access Profile, RDP and MSRA is not working.

when CLIENT_ACCEPTED { log local0 "The Client IP is [IP::client_addr] and the node IP is [IP::remote_addr]" snat 10.34.23.102 }

application delivery

BIG-IP Access Policy Manager (APM)

msra

network access

Lucas_Thompson_
Dec 15, 2015
In order to get iRules to fire on traffic traversing SSLVPN, you need to use "Related iRules" configuration from the main APM virtual. You can't do this in the GUI, you have to use tmsh.

like: tmsh modify ltm virtual xxxx related-rules { yyyy }

where xxxx is your virtual server and yyyy is the irule name you want.

This function is pretty new, and I haven't personally tested very much with it. But what happens is that the irule you've specified in "related-rules" gets automatically pushed into the special Network Access listener virtual servers. It's avilable in:

11.4.1 hf9+
12.0
11.6.0 hf6+
11.5.3 hf2+

I think also that the system may need to be restarted for these changes to take effect (bigstart restart or reboot).

Amine_Kadimi
MVP
Dec 14, 2015
Hi,

It can help if you can provide your clients with a VS IP instead of the real server IP. In the VS, set up SNAT and optionally a source network if you want to limit the VS to your clients' pool scope. The pool of the VS will contain the real servers.
Lucas_Thompson_
Historic F5 Account
Dec 15, 2015
In order to get iRules to fire on traffic traversing SSLVPN, you need to use "Related iRules" configuration from the main APM virtual. You can't do this in the GUI, you have to use tmsh.

like: tmsh modify ltm virtual xxxx related-rules { yyyy }

where xxxx is your virtual server and yyyy is the irule name you want.

This function is pretty new, and I haven't personally tested very much with it. But what happens is that the irule you've specified in "related-rules" gets automatically pushed into the special Network Access listener virtual servers. It's avilable in:

11.4.1 hf9+
12.0
11.6.0 hf6+
11.5.3 hf2+

I think also that the system may need to be restarted for these changes to take effect (bigstart restart or reboot).
MichaelJordan_1
Nimbostratus
Dec 17, 2015
Thank you for your response.