We want to set up APM VPN lease pools that do not SNAT behind an ip as we want external firewalls to control traffic.
Issue is there are two firewalls that the apm cluster will be connected to - cluster lives across two (layer 2 connected sites each with its own internal firewall - and if I use static routes to lease pools on both fw's then both firewalls will then redistribute into ospf saying they are the path into the lease pools. And pool based routing only works for outbound routing so I need to maintain symmetry for outbound and inbound routing. ie. firewall 1 should always advertise lease pools into ospf and firewall 2 should only do this when firewall 1 is down.
I was wondering can we advertise the lease pools address ranges using dynamic routing (using zebos) to maintain firewall priority and routing symmetry - Is this possible?
Otherwise I need to find a way to hand out different lease pool addresses depending on the active F5 in the cluster (the cluster exists across two sites that have layer 2 connectivity) So that when F5 1 is active, it only uses lease pools routed to and from firewall 1 and when F5 2 becomes active in failover scenario, it only uses lease pools routed to and from firewall 2.
Any help will be greatly appreciated.
I'm also interested in announcing vpn client IP using dynamic routing, if anyone knows it's possible.
Thank you in advance.