Forum Discussion
Hello,
I have the same question and same infrastructure as Domel and the author, actually I don't want to use the SNAT on network access because in my Infrastructure we would like to know what have been done on network (src-ip provide by the VPN and not the SNAT). I know it is possible by using the F5 as the gateway but I can't change the infrastructure. SNAT Pool is also a solution by spliting the network access by policy but the client want to know exactly what have been made on the network and what src IP was given without changing the infrastructure. Is it possible.
Cordially.
- Domel_163525Sep 12, 2018Nimbostratus
Ok, I have figured it out and it worked like a charm.
Nothing else needs to be done apart from routing.
- HJMartini_13991Sep 12, 2018Nimbostratus
And what's the Solution for that problem?
- Domel_163525Sep 12, 2018Nimbostratus
On the F5 you just need to change it from AutoMap to None as per instruction below:
'to disable SNAT for them use: Access Policy ›› Network Access : Network Access List ›› >> Network Settings: SNAT Pool to None'
But from the routing side you need to make sure that the subnet/IP range you allocate for VPN-Pool is reachable from you network.
If I would like to use my 2x arm deployment as an example:
Subnet1 (10.1.1.0/24) - Internal; Subnet2 (10.2.2.0/24) - External; Subnet3 (192.168.1.0/24)- VPN-Pool;
On the router in you network a route is required saying to get to Subnet3 (VPN-Pool) go via self-IP (or floating self-IP if you have a F5 cluster configure) of the F5 Internal VLAN
ip route 192.168.1.0 255.255.255.0 10.1.1.252 (where 10.1.1.252 is the F5 floating self-IP)
That was really it. You don't need to do anything else.
As many said previously it all depends on your network and infrastructure but you should get a general idea - F5 is a router on it's own.
- boneyardDec 15, 2018MVP
thanks for sharing the answer, it should be indeed be that simple.