Forum Discussion
Turn Off SNAT for VPN
I am having issues trying to roll out the F5 VPN for a small group in my organization due to SNAT. I pass all traffic through a Palo Alto to identify group membership against AD to grant one department access to critical SCADA control equipment. SNAT is causing all traffic to appear from one address instead of maintaining the assigned VPN pool address. For all other users the SNAT feature is not causing me issues today. As a work around instead of utilizing Layer 2 connectivity to my core router and SNAT it was assumed that I could place the VPN VLAN into a separate route domain, connect an additional link to my core from the F5 Viprion, turn on OSPF routing, and turn off automap within the APM > Secure Connectivity Profile. My logic is that the VPN VLAN (assigned VPN pool addresses)would now be advertised via OSPF therefore allowing traffic to be returned to the F5 client. I was able to establish OSPF adjacency over the new link, the F5 route table showed all my organizations OSPF routes, but my core router could only see the self IP of the VPN VLAN. I verified that the individual assigned VPN pool address was making it to the core router instead of the SNAT address as previously witnessed before turning off SNAT/automap.
Steps: I was able to get routing set up in an alternate route domain and establish OSPF adjacency with my core switch. Within APM on the VPN secure connectivity profile I changed the setting from automap to none. When I connect on the F5 VPN I now see the client address pass through the Palo Alto instead of the SNAT floating IP however it appears the traffic is unable to return to the F5. The address also has no user information tied to it. The F5 sees all Enterprise Routes but our core does not see any advertised networks past the self IP. At this point I am out of ideas on how to get away from SNAT.
Created Route Domain 1 Deleted Self and Floating IPs for VLAN 10 Added the VPN Pool VLAN10 to the route domain Recreated Self and Floating IPs for VLAN 10 (with %1 appended to each address to assign these to Route Domain 1) Set the Self IP Port Lockdown to “Allow None” Created OSPFv2 instance in Route Domain 1 and advertised VLAN10 Turned off AutoMap in APM>Secure Connectivity VPN Profile Successfully Authenticated Verified the address was inspected by the PAN that sits between the F5 and Core (unknown user) Was unable to access any resources while VPN connected Verified downstream from my core that the VLAN10 network was being propagated throughout the OSPF environment Traffic would never return to the F5 VPN assigned pool address
- dnorthrip_22776Nimbostratus
This is a one armed deployment Access Policy ›› Network Access : Network Access List ›› >> Network Settings: SNAT Pool to None
is your comment btw extra info or did you solve it?
it is to complex for me to just answer
have you made a picture, perhaps that makes things clearer for yourself and else you might share it for further input.
- dnorthrip_22776Nimbostratus
I have not solved the issue yet. I included the last comment for Extra information.
Can you show me your ospf configuration of the bigip? (imish)
Do you see the vpn dhcp addresses in the routing table? If so did you enable redistribution of kernel routes?router ospf redistribute kernel
Cheers,
Kees
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com