Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

SNAT 1:1 - Map client public IP to nat pool IP


I have a situation were we have a BIG IP F5 load balancer in front of a MS RRAS server acting as a VPN concentrator. When a user connects to the VPN the radius auth is proxied through a Cisco ISE instance to tie the user to an IP address, this allows us to create identity based firewall rules. The problem is at the moment RRAS is seeing all clients coming from the load balancer because we have SNAT enabled. In Cisco ISE you can only have one active session per endpoint ID and all users are comming through as the same endpoint ID (the load F5's internal SNAT address).


So my question, it is possible to setup SNAT in a way that each client will come from a unique SNAT address from a SNAT pool?




F5 Employee
F5 Employee

This isn't possible using SNAT pools.

You might be able to use an iRule similar to what's described here.

    snat "172.23.180.[getfield [IP::client_addr] . 4]"

The iRule above doesn't require any SNAT object be applied to the Virtual Server.

The iRule will use the last octet of the source IP to SNAT to 172.23.180.x.

∟ For example: Source =, SNAT =

Hello Andrew,

I am trying to have almost the same, however, to MAP the SNAP pool IP to be the same exact as the source.

For example: if my client's IP is 172.1648.10 then SNAT also has to be (one-to-one mapping).

Can i apply the same irule (with SNAT set to none on the virtual server or SNAT set to SNAT pool?)


{ snat "172.16.[getfield [IP::client_addr].[getfield [IP::client_addr]}

the last two octets will be replaced with the client's last two octets?