Forum Discussion
Rakesh_125911 Nimbostratus
Nimbostratus
Jun 11, 2013Retain Original Source IP address of Clients
       
To Retain Original Source IP address of Clients connecting to Exchange 2010 Virtual server for smtp .Virtual server ip and pool member ip's are in different subnet,SNAT is enabled.Exchange tea...
dirtiPACKET_136 Nimbostratus
Nimbostratus
Oct 28, 2013I utilize a iRule snat for our exchange environment. They have asked us for the same need to insure seeing the true source mac/IPs.
when CLIENT_ACCEPTED {
 if { [matchclass [IP::client_addr] equals datagroup_Hosts]} {
 snatpool snatpool_SNAT
 }
}
datagroup_Hosts = the network segment of the pool members.
snatpool_SNAT = is the snat pool IP. I use the same segment from our VIP/VS segment.
*edited for formatting.- kenny_50210Oct 28, 2013Nimbostratus Thanks dirtiPACKET! this will help us out as well. as our exchange admins want to preserve client mac/IPs when traffic is passing through the VIP.
- boneyardOct 29, 2013MVP i hope you don't expect to see the actual client MAC / IP, you might be able to relate things but the actual information is lost. client MAC is lost the moment the packet hits the first router anyway.
- dirtiPACKET_136Nov 01, 2013Nimbostratus @Boneyard - true but at the cost of what context? Your edge fw/router is usually based on mpls for your remote sites and it would all be "internal" anyways... especially for exchange. If you have a lot of external web traffic, either than exchange, then you can still create policies that allow the true source mac/IP keep itself embedded without being stripped for a NAT rules. Especially if you are PATing. My company, for example, allows all true macs go across the wire for logging/informational purposes except for our B2Bs and Extranets. Then we have to hide everything with NAT specific policies.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects