Snat on the egress interface + vpn connection

Employee

Dec 20, 2011

is it similar to this? if yes, please make sure you add route for nated address back to f5 at cisco asa.

please let me know if i misunderstood your question.

[root@ve1023:Active] config  b self list
self 172.28.19.80 {
   netmask 255.255.255.0
   vlan external
   allow default
}
self 200.200.200.10 {
   netmask 255.255.255.0
   vlan internal
   allow default
}
[root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination any:any
   mask 0.0.0.0
   ip protocol 6
   rules myrule
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members {
      172.28.19.253:any {}
      172.28.19.254:any {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when LB_SELECTED {
        if {[LB::server addr] equals "172.28.19.254"} {
                snat 1.1.1.1
        } else {
                snat 2.2.2.2
        }
}
}

1.1.1.1 is used when 172.28.19.254 is selected.

[root@ve1023:Active] config  tcpdump -e -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
13:19:20.719522 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 78: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49654 > 8.8.8.8.80: S 1754565966:1754565966(0) win 5840 
13:19:20.719571 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 82: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49654: S 1646625070:1646625070(0) ack 1754565967 win 4380 
13:19:20.720493 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49654 > 8.8.8.8.80: . ack 1 win 46 
13:19:20.720561 00:50:56:b3:00:b5 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 1.1.1.1.49654 > 8.8.8.8.80: S 1628743767:1628743767(0) win 4380 
13:19:20.720567 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 219: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49654 > 8.8.8.8.80: P 1:150(149) ack 1 win 46 
13:19:20.820337 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49654: . ack 150 win 4529 
13:19:23.720497 00:50:56:b3:00:b5 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 1.1.1.1.49654 > 8.8.8.8.80: S 1628743767:1628743767(0) win 4380 

2.2.2.2 is used when 172.28.19.253 is selected.

[root@ve1023:Active] config  tcpdump -e -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes

13:19:33.969451 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 78: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49655 > 8.8.8.8.80: S 616950208:616950208(0) win 5840 
13:19:33.969477 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 82: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49655: S 720591584:720591584(0) ack 616950209 win 4380 
13:19:33.970379 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49655 > 8.8.8.8.80: . ack 1 win 46 
13:19:33.970424 00:50:56:b3:00:b5 > 00:50:56:b3:03:7f, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 2.2.2.2.49655 > 8.8.8.8.80: S 3355095084:3355095084(0) win 4380 
13:19:33.970427 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 219: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49655 > 8.8.8.8.80: P 1:150(149) ack 1 win 46 
13:19:34.070257 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49655: . ack 150 win 4529 
13:19:36.970404 00:50:56:b3:00:b5 > 00:50:56:b3:03:7f, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 2.2.2.2.49655 > 8.8.8.8.80: S 3355095084:3355095084(0) win 4380 

[root@ve1023:Active] config  b arp
ARP 172.28.19.253 - 00:50:56:B3:03:7F   VLAN external   expire 54s   resolved
ARP 172.28.19.254 - 00:01:E8:D5:D4:47   VLAN external   expire 274s   resolved
ARP 200.200.200.101 - 00:50:56:B3:01:0B   VLAN internal   expire 284s   resolved

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Snat on the egress interface + vpn connection

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

Extending F5 ADSP: Multi-Tailnet Egress

Egress control for Kubernetes using F5 Distributed Cloud Services

How to secure egress with F5 Service Proxy for Kubernetes

Application Programming Interface (API) Authentication types simplified

Ingress/Egress VPC inspection with BIG-IP and GWLB

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS