Forum Discussion
SNAT - Do i need it?
We have a LTM which has a standard HTTP VIP with a pool of ISA proxy servers. SNAT automap is enabled for this VIP.
The guys who manage the proxys have said that they need to see the clients IP address rather than F5s IP, this is due to some authenticaion issue they have.
So the VIP is:
10.50.40.1
The nodes in the pool are all on the 10.55.55.0/24 subnet
The F5 will SNAT using the egress interface which is also on the 10.55.55.0/24 subnet.
So obviously if i disable SNAT the original client IP will be retained, the source address hitting the server won't be in the same subnet as the server so we need to make sure it has a route back to the original client.
In this type of setup is there a need for SNAT? This is on a totally internal network. The ISA servers will forward to the internet but does it matter what the original source IP was?
thanks,
- natheCirrocumulusLuca
- Luca_55898Nimbostratus
That's a good point about 'out of state' issues. If SNAT is not used the ISA server will reply back using its default gateway, which is not the F5, asynchronous routing will occur.As you said a work around would be to set the default gateway of the ISA to the F5, we have a HA cluster so it would have to use the floating IP to ensure its always available.I looked into the x-forwarded header, also not sure if ISA supports it but I will investigate as i don't like the idea of not using SNAT.... anyone could logon to the server and change he gateway, whereas only a few people have access to the F5.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com