Turn Off SNAT for VPN

Question

I am having issues trying to roll out the F5 VPN for a small group in my organization due to SNAT.  I pass all traffic through a Palo Alto to identify group membership against AD to grant one department access to critical SCADA control equipment.  SNAT is causing all traffic to appear from one address instead of maintaining the assigned VPN pool address.  For all other users the SNAT feature is not causing me issues today.  As a work around instead of utilizing Layer 2 connectivity to my core router and SNAT it was assumed that I could place the VPN VLAN into a separate route domain, connect an additional link to my core from the F5 Viprion, turn on OSPF routing, and turn off automap within the APM &gt; Secure Connectivity Profile.  My logic is that the VPN VLAN (assigned VPN pool addresses)would now be advertised via OSPF therefore allowing traffic to be returned to the F5 client.  I was able to establish OSPF adjacency over the new link, the F5 route table showed all my organizations OSPF routes, but my core router could only see the self IP of the VPN VLAN.  I verified that the individual assigned VPN pool address was making it to the core router instead of the SNAT address as previously witnessed before turning off SNAT/automap. &nbsp;
Steps:
I was able to get routing set up in an alternate route domain and establish OSPF adjacency with my core switch.  Within APM on the VPN secure connectivity profile I changed the setting from automap to none.  When I connect on the F5 VPN I now see the client address pass through the Palo Alto instead of the SNAT floating IP however it appears the traffic is unable to return to the F5.  The address also has no user information tied to it.  The F5 sees all Enterprise Routes but our core does not see any advertised networks past the self IP.  At this point I am out of ideas on how to get away from SNAT.&nbsp;
Created Route Domain 1
Deleted Self and Floating IPs for VLAN 10
Added the VPN Pool VLAN10 to the route domain
Recreated Self and Floating IPs for VLAN 10 (with %1 appended to each address to assign these to Route Domain 1)
Set the Self IP Port Lockdown to “Allow None” 
Created OSPFv2 instance in Route Domain 1 and advertised VLAN10
Turned off AutoMap in APM&gt;Secure Connectivity VPN Profile
Successfully Authenticated
Verified the address was inspected by the PAN that sits between the F5 and Core (unknown user)
Was unable to access any resources while VPN connected
Verified downstream from my core that the VLAN10 network was being propagated throughout the OSPF environment
Traffic would never return to the F5 VPN assigned pool address&nbsp;

dnorthrip_22776 · Answer

This is a one armed deployment
Access Policy ›› Network Access : Network Access List ›› &gt;&gt; Network Settings: SNAT Pool to None&nbsp;

boneyard · Answer

is your comment btw extra info or did you solve it?&nbsp;
it is to complex for me to just answer&nbsp;
have you made a picture, perhaps that makes things clearer for yourself and else you might share it for further input.&nbsp;

dnorthrip_22776 · Answer

I have not solved the issue yet.  I included the last comment for Extra information.&nbsp;

keesvandenbos · Answer

Can you show me your ospf configuration of the bigip? (imish)
Do you see the vpn dhcp addresses in the routing table? If so did you enable redistribution of kernel routes?
router ospf redistribute kernel

Cheers,
Kees

Forum Discussion

Turn Off SNAT for VPN

4 Replies

Recent Discussions

About custome Response Blocking Page

Office Online Server with SharePoint 2016

health monitor source IP address

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

Related Content

Turn off SNAT selectively

SNAT IP address logging

SNAT pool persistence

F5 SMTP Fast Template - SNAT Not working as expected

Multiple SNAT pools under a single VIP