Forum Discussion
nishant_tor_183
Jan 21, 2015Nimbostratus
Thanks Ed. We received response from an F5 professional services tech who said that this was not possible and that's why I thought of posting the question here at devcentral to get a second opinion. I will take your response to our architect team because they had already started planning for a 2 arm setup and that will require changes both on F5 / switch / firewall side. If what you say is true we will be able to avoid a lot of hassle if just by disabling SNAT we are able to retain the functionality that we already had with CSS 11503 before we migrated out of it.
- Ed_SummersJan 21, 2015NimbostratusDid the PS tech indicate why the configuration was not possible? Based on 'face value' I do not see a problem if the server response traffic is guaranteed to return via the LTM. We have a few cases where we do not SNAT (for the same reason). Though the servers are on a different network from the LTM interfaces, default routing of the network does ensure the traffic returns through the LTM so the connections are processed successfully. We have even run into occasions where we had to use policy-based routing (PBR, 'route maps' in Cisco terms) to ensure response traffic returned through the LTM. I just caution that I can only estimate based on what I know. If the PS tech had additional details about the case perhaps he found something in this particular instance that supported his answer. The confusion may be in terminology. You note that your devices will be 'one-armed'. But from the logical/routing perspective, are the devices actually 'in-path' between the clients and servers?