A couple of options...
- Policy routing on the server so that packets FROM your service port are routed back to clients via the BigIP (No SNAT required)
- Policy routing on your LAN switches/routers to forward traffic back to client via BigIP (No SNAT required)
- Insert the original client IP into the TCP options header and have the server log THAT address and not the address of the tcp connection (Allows SNAT but requires the web server to be able to log the info from the tcp options instead of the actual TCP connection)
1 & 2 are probably more practical since you want to do SSH as well...
H