Forum Discussion
NimbostratusRetain Original Source IP address of Clients
To Retain Original Source IP address of Clients connecting to Exchange 2010 Virtual server for smtp .Virtual server ip and pool member ip's are in different subnet,SNAT is enabled.Exchange team needs to build policies on server with real ip address of clients connecting to virtual server for smtp.However since snat is enabled ,client address is translated to floating ip of F5. One way to retain to original ip address of client is to diable SNAT ,and point exchnage servers(pool members)default gateway as F5 floating ip .can you please suggest any other way . Code on F5 is 10.2.2
9 Replies
What_Lies_Bene1Cirrostratus
XFF won't be relevant here as it's not HTTP traffic.
You could just use static routes on your Exchange servers that point the real client subnets back through the F5, rather than using the default route and routing everything that way. If you'd like to provide further details I can be more specific.
fubarSUSHIAltocumulus
I utilize a iRule snat for our exchange environment. They have asked us for the same need to insure seeing the true source mac/IPs.
when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals datagroup_Hosts]} { snatpool snatpool_SNAT } }datagroup_Hosts = the network segment of the pool members.
snatpool_SNAT = is the snat pool IP. I use the same segment from our VIP/VS segment.
*edited for formatting.
kenny_50210Thanks dirtiPACKET! this will help us out as well. as our exchange admins want to preserve client mac/IPs when traffic is passing through the VIP.- boneyard
MVP
i hope you don't expect to see the actual client MAC / IP, you might be able to relate things but the actual information is lost. client MAC is lost the moment the packet hits the first router anyway. - fubarSUSHI@Boneyard - true but at the cost of what context? Your edge fw/router is usually based on mpls for your remote sites and it would all be "internal" anyways... especially for exchange. If you have a lot of external web traffic, either than exchange, then you can still create policies that allow the true source mac/IP keep itself embedded without being stripped for a NAT rules. Especially if you are PATing. My company, for example, allows all true macs go across the wire for logging/informational purposes except for our B2Bs and Extranets. Then we have to hide everything with NAT specific policies.
dirtiPACKET_136I utilize a iRule snat for our exchange environment. They have asked us for the same need to insure seeing the true source mac/IPs.
when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals datagroup_Hosts]} { snatpool snatpool_SNAT } }datagroup_Hosts = the network segment of the pool members.
snatpool_SNAT = is the snat pool IP. I use the same segment from our VIP/VS segment.
*edited for formatting.- kenny_50210Thanks dirtiPACKET! this will help us out as well. as our exchange admins want to preserve client mac/IPs when traffic is passing through the VIP.
- boneyardi hope you don't expect to see the actual client MAC / IP, you might be able to relate things but the actual information is lost. client MAC is lost the moment the packet hits the first router anyway.
- dirtiPACKET_136@Boneyard - true but at the cost of what context? Your edge fw/router is usually based on mpls for your remote sites and it would all be "internal" anyways... especially for exchange. If you have a lot of external web traffic, either than exchange, then you can still create policies that allow the true source mac/IP keep itself embedded without being stripped for a NAT rules. Especially if you are PATing. My company, for example, allows all true macs go across the wire for logging/informational purposes except for our B2Bs and Extranets. Then we have to hide everything with NAT specific policies.
