cancel
Showing results for 
Search instead for 
Did you mean: 

Firewall did not seeing source public IP. Log show F5 as source IP.

Nadeem_Siddiqui
Nimbostratus
Nimbostratus

Hi,

I have a VIP that accesses able from outside. When the user connects to this VIP in the firewall log we see F5 source IP vs we should see public IP for that user. My VIP Source Address Translation is set to "Automap". If I change Source Address Translation to "NONE" I can see the user's public IP.  It looks like that incoming traffic is using my VIP and since my DMZ server gateway is a point to FW the return traffic will use the default VIP that we have for all outbound internet traffic. 

I am wondering that do I have an Asymatic routing issue or not or is there any issue if I use Source Address Translation to "NONE".

 

Below is my setup:
Internet <-------> F5 <----------> FW <--------------> DMZ server 

 

2 REPLIES 2

Heath_Parrott
F5 Employee
F5 Employee

If the firewall has a default gateway that is set to a floating IP/Virtual Server of the F5 pair then you should be able to disable SNAT (set to NONE).  If the Firewall does not point to F5 systems for egress then SNAT Auotmap or the use of a SNAT pool will be required for the applicaiton to function properly. 

ragunath154
Cirrus
Cirrus

Check out the below link for npath routing, not sure whether it suits you but worth a try and check

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/configuring-...