Not using SNAT , for VPN clients , F5 not using Floating IP of virtual server.

Hello JRahm,

Thank you for your reply. Let me know try to explain.

Question: Hi @ZANOOB if the virtual server is set to take the source traffic of your lease pool and send it to the gateway, why would having snat enabled send the traffic somewhere else?

Answer: I have the IPV4 lease pool for /22 subnet in the connectivity profile and client receives the IP address. However when it leaves the F5 towards my firewall it uses the Self IP address of F5 towards the destination.

VPN client IP---> F5 (source IP changes to f5 self IP)---> firewall ---> destination.

My objective: is to keep the source IP (VPN client IP ) when leaving F5 towards the firewall and to the destination.

Workaround I did: Created SNAT pool, same as IPV4 lease (as you mentioned above). However, the problem is the SNAT pool has many IPs and it does not need to match the same as the client IP when leaving F5 towards my firewall. 

Trying to see if there is an iRule that i could use, so that the same SNAT pool IP is as the same as the VPN client source. So that when the packet reaches the firewall (exiting F5 towards destination), we still have see the same IP of client and not the any random IP from SNAT pool.

Was chekcing an irule

when CLIENT_ACCEPTED {
switch -glob [IP::local_addr] {
"17216.48.10" { snat 17216.48.10 }
"17216.48.11" { snat 17216.48.11 }
"17216.48.12" { snat 17216.48.12 }
"17216.48.13" { snat 17216.48.13 }
*AND SO ON TILL THE LEASE SUBNET*
}}

- Still need to test the irule though.

But i dont get why there was no option/feature in F5 that will keep the source IP when exiting via self IP. I understand SNAT auto map and reserver routes. However, in my case the requirement is to keep the source IP as the client IP.

Regards,

Zanoob