New self IP

this is not problematic at all. You have three functions in play here. Routing, PERMISSION to pass traffic, and translation. Let's take them one at a time

Routing

Your route table will establish where BIG-IP sends traffic to next hops. It acts like any router does, connected networks establish routes by default, any transit route will need to be defined (statically or dynamically if you have that need and licensed for it) One caveat: auto-last-hop. If this is enabled (and it is by default, traffic will be returned from where it came, so be aware if this is a security zone)

PERMISSION to pass traffic

This is where your virtual servers come into play. BIG-IP by default is a default-deny device, you have to explicitly allow traffic to flow. So traffic won't automatically flow between your internal zones even if routes are there, you need to configure it that way, and you can specify which vlans are allowed to source traffic on each virtual server.

Translation

You can translate the traffic from zone to zone if you need to, but you don't have to. Some security postures don't want any routes established on servers in DMZs except to push all traffic north to a security boundary. So you may need to snat traffic between internal zones, but if routes to BIG-IP are allowed, then transiation between internal zones may not be required.

Hi Jason, thanks for answer, I have already created second interface internal2, but I have a routing problem and I will try to describe it:

internal2: 192.168.1.5

internal: 172.16.1.20

Virtual server IP: 1.1.1.1 (SNAT IP for virtual server is 172.16.1.10)

Destination Server IP (defined on virtual server) is: 192.168.1.25

I need to set up this:

Traffic from outside (which go to IP 1.1.1.1 and it is translated to 172.16.1.10) should go to 192.168.1.25 via interface internal (172.16.1.20).

Now traffic go by this way:

Traffic from outside (which go to IP 1.1.1.1 and it is translated to 172.16.1.10) go to 192.168.1.25 via interface internal2 (192.168.1.5) and back it goes via 172.16.1.20.

Route is of course defined via 172.16.1.20 , but server is in same netwrok as interface internal2 (192.168.1.0/24)

Thank you

Hi, all I need is to set up virtual server, which will have IP address from this range 192.168.1.0/24. Maybe I do not need second internal interface internal2 ? but when I delete it, it does not work. I have tested to set up SNAT(with ip from internal interface (172.16.1.21)) on virtual servers, which have connected pools with IPs in range 192.168.1.0/24, but problem is, that traffic still go via internal2 (192.168.1.5) interface, but back it goes via interface 172.16.1.20, so this looks it is not solution.

Simply I need to send all traffic (included pools in network 192.168.1.0/24) via 172.16.1.20, but I need to create Virtual server in network 192.168.1.0/24, which will have connected pool in same network.