Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Misty_Spillers's avatar
Misty_Spillers
Icon for Nimbostratus rankNimbostratus
13 years ago

Separating APM traffic from LTM traffic

I posted this on the APM forum months ago and didn't get a response. So I'm going to try here since it really isn't an APM thing. Original question:   ---   I need a little guidance on how I sh...
config
design
Kyle_S_52590's avatar
Kyle_S_52590
Icon for Nimbostratus rankNimbostratus
11 years ago

We have implemented Route Domains to isolate our SSL VPN users. It works very well and in our APM Access Policy we use the object Route Domain and SNAT selection. You will have to create self-ip addresses, routes, and pool selections. The trick is to remember to use the % with everything. So the route domain you create is SSL_VPN Route ID 1, everything associated in that route domain needs to end with %1. The default route would be destination 0.0.0.0%1 use gateway 192.168.1.1%1. A self-ip for this domain would be 192.168.2.1%1. Even nodes can have the same IP addresses as long as they are placed in the correct route domain. I hope this helps.

 

Kyle_S_52590's avatar
Kyle_S_52590
Icon for Nimbostratus rankNimbostratus
11 years ago
You can set independent default routes to each Route Domain. We chose to use the Route Domain because when we had issues with how the Lease Pool routed back using the self-ip address. After we implemented the Route Domain we were able to route the traffic the way we wanted it to go without over complicating it. So for VPN connections, we have the VS on the main Route Domain (no %), but once the APM policy kicks in, we assign those users with the Route Domain and SNAT selections in the APM objects. It is a selectable item like adding a message box or AD Auth. After adding the item, you will have a drop down to select the Route Domain you want it reference. All the self-ips, and routes that will need to be associated with that Route Domain will need to have the % included. It might be easier to understand if you draw it out, top to bottom, how the VPN user would hit your VS, then process through the APM module and then access onto your network. Draw a line where the Route Domain Selection is made and everything above the line is on the normal route domain, and everything below is in the VPN Route Domain (% required). It took a bit of trial and error but we got it figured out. Good luck.