cancel
Showing results for 
Search instead for 
Did you mean: 

SSL-VPN and Route Domain

Mark_van_D
Cirrostratus
Cirrostratus

I'm probably missing something but I have the following problem:

 

Currently have a SSL-VPN setup with SNAT Automap. BIG-IP connected with multiple VLANs/Self-IPs.

 

vlan-internal - vlan id 100

self_internal - 192.168.100.245/24

 

vlan-external - vlan id 200

self_external - 192.168.200.245/24

default_route - 192.168.200.1 (firewall)

 

ssl-vpn - ip lease-pool 172.20.20.2-230

 

/Common/apm-vpn-vs configure with /Common/apm-vpn-profile

 

Firewall has been configured to route 172.20.20.0/24 traffic to 192.168.200.245.

 

With SNAT Auto-Map connectivity works.

 

Have a requirement to not use SNAT.

 

When disabling SNAT have connectivity to everything except for services on 192.168.100.0/24 (default route on servers is not F5), seeing as it is directly connected to the F5 it uses that connection to go to those addresses. I'm also able to ping the ip address assigned from the lease-pool from firewall.

 

Ended up creating a new partition and route-domain

part_apm

rd_apm (id 1) - strict isolate, default rd for part_apm

default_route_apm - 192.168.200.1%0

 

In access policy did an assignment of rd_apm and set SNAT to none. This appears to have resolved my connectivity issues in that all traffic is directed out of the default route. However I am now unable to ping the ip address assigned from the lease-pool from firewall.

 

What do I need to do to allow this? Is there a different way to configure this to achieve the required outcome?

2 REPLIES 2

PeteWhite
F5 Employee
F5 Employee

Add a route on the firewall to the leasepool address range via the floating self-IP of the BIG-IP

Thanks Pete I've already got that in place.