Forum Discussion
SNAT 1:1 - Map client public IP to nat pool IP
I have a situation were we have a BIG IP F5 load balancer in front of a MS RRAS server acting as a VPN concentrator. When a user connects to the VPN the radius auth is proxied through a Cisco ISE instance to tie the user to an IP address, this allows us to create identity based firewall rules. The problem is at the moment RRAS is seeing all clients coming from the load balancer because we have SNAT enabled. In Cisco ISE you can only have one active session per endpoint ID and all users are comming through as the same endpoint ID (the load F5's internal SNAT address).
So my question, it is possible to setup SNAT in a way that each client will come from a unique SNAT address from a SNAT pool?
- Andrew-F5Employee
This isn't possible using SNAT pools.
You might be able to use an iRule similar to what's described here.
when CLIENT_ACCEPTED { snat "172.23.180.[getfield [IP::client_addr] . 4]" }
The iRule above doesn't require any SNAT object be applied to the Virtual Server.
The iRule will use the last octet of the source IP to SNAT to 172.23.180.x.
∟ For example: Source = 1.1.1.50, SNAT = 172.23.180.50.
- ZANOOBCirrus
Hello Andrew,
I am trying to have almost the same, however, to MAP the SNAP pool IP to be the same exact as the source.
For example: if my client's IP is 172.1648.10 then SNAT also has to be 172.16.48.10. (one-to-one mapping).
Can i apply the same irule (with SNAT set to none on the virtual server or SNAT set to SNAT pool?)
when CLIENT_ACCEPTED
{ snat "172.16.[getfield [IP::client_addr].[getfield [IP::client_addr]}
the last two octets will be replaced with the client's last two octets?
Regards
Zanoob
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com