Showing results for 
Search instead for 
Did you mean: 

SSL-VPN and Route Domain


I'm probably missing something but I have the following problem:


Currently have a SSL-VPN setup with SNAT Automap. BIG-IP connected with multiple VLANs/Self-IPs.


vlan-internal - vlan id 100

self_internal -


vlan-external - vlan id 200

self_external -

default_route - (firewall)


ssl-vpn - ip lease-pool


/Common/apm-vpn-vs configure with /Common/apm-vpn-profile


Firewall has been configured to route traffic to


With SNAT Auto-Map connectivity works.


Have a requirement to not use SNAT.


When disabling SNAT have connectivity to everything except for services on (default route on servers is not F5), seeing as it is directly connected to the F5 it uses that connection to go to those addresses. I'm also able to ping the ip address assigned from the lease-pool from firewall.


Ended up creating a new partition and route-domain


rd_apm (id 1) - strict isolate, default rd for part_apm

default_route_apm -


In access policy did an assignment of rd_apm and set SNAT to none. This appears to have resolved my connectivity issues in that all traffic is directed out of the default route. However I am now unable to ping the ip address assigned from the lease-pool from firewall.


What do I need to do to allow this? Is there a different way to configure this to achieve the required outcome?


F5 Employee
F5 Employee

Add a route on the firewall to the leasepool address range via the floating self-IP of the BIG-IP

Thanks Pete I've already got that in place.