cancel
Showing results for 
Search instead for 
Did you mean: 

SNAT 1:1 - Map client public IP to nat pool IP

Swilky
Nimbostratus
Nimbostratus

I have a situation were we have a BIG IP F5 load balancer in front of a MS RRAS server acting as a VPN concentrator. When a user connects to the VPN the radius auth is proxied through a Cisco ISE instance to tie the user to an IP address, this allows us to create identity based firewall rules. The problem is at the moment RRAS is seeing all clients coming from the load balancer because we have SNAT enabled. In Cisco ISE you can only have one active session per endpoint ID and all users are comming through as the same endpoint ID (the load F5's internal SNAT address).

 

So my question, it is possible to setup SNAT in a way that each client will come from a unique SNAT address from a SNAT pool?

 

 

1 REPLY 1

Andrew-F5
F5 Employee
F5 Employee

This isn't possible using SNAT pools.

 

You might be able to use an iRule similar to what's described here.

when CLIENT_ACCEPTED { snat "172.23.180.[getfield [IP::client_addr] . 4]" }

The iRule above doesn't require any SNAT object be applied to the Virtual Server.

The iRule will use the last octet of the source IP to SNAT to 172.23.180.x.

∟ For example: Source = 1.1.1.50, SNAT = 172.23.180.50.