For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rakesh_125911's avatar
Rakesh_125911
Icon for Nimbostratus rankNimbostratus
Jun 11, 2013

Retain Original Source IP address of Clients

  To Retain Original Source IP address of Clients connecting to Exchange 2010 Virtual server for smtp .Virtual server ip and pool member ip's are in different subnet,SNAT is enabled.Exchange tea...
basic
getting started
new to f5
dirtiPACKET_136's avatar
dirtiPACKET_136
Icon for Nimbostratus rankNimbostratus
Oct 28, 2013

I utilize a iRule snat for our exchange environment. They have asked us for the same need to insure seeing the true source mac/IPs.

when CLIENT_ACCEPTED {
 if { [matchclass [IP::client_addr] equals datagroup_Hosts]} {
 snatpool snatpool_SNAT
 }
}

datagroup_Hosts = the network segment of the pool members.

snatpool_SNAT = is the snat pool IP. I use the same segment from our VIP/VS segment.

*edited for formatting.
dirtiPACKET_136's avatar
dirtiPACKET_136
Icon for Nimbostratus rankNimbostratus
Nov 01, 2013
@Boneyard - true but at the cost of what context? Your edge fw/router is usually based on mpls for your remote sites and it would all be "internal" anyways... especially for exchange. If you have a lot of external web traffic, either than exchange, then you can still create policies that allow the true source mac/IP keep itself embedded without being stripped for a NAT rules. Especially if you are PATing. My company, for example, allows all true macs go across the wire for logging/informational purposes except for our B2Bs and Extranets. Then we have to hide everything with NAT specific policies.