V9.0.4 SNAT, but maintain source IP of client

Question

We have two groups of servers which are on the same network (L2 and L3).  Is there a way to preserve the source IP of a request from group1 web servers to a vip on the same network of the two groups of servers, without the group2 servers sending return traffic directly back to the group1 webservers?  I need to enable SNAT but want the group2 servers to retain the source IP address of the client servers. 
&nbsp;  
&nbsp; Thank you.

jrahm · Answer

If it is http traffic, you can insert the source IP into the headers.

jrahm · Answer

If it is not http traffic, you could separate your layer 2 domain into two vlans and then create a vlan group with your layer 3 domain defined there.  Put each group of servers into each vlan, then destination nat the traffic, the BigIP will preserve the source and intercept the return traffic to correct the (now) source as the vip so the packet originator doesn't reset the TCP connection.  I tested this in the lab a few years ago.  You shouldn't need a rule for this.

Forum Discussion

V9.0.4 SNAT, but maintain source IP of client

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Use Kubernetes Cert-Manager to Maintain Let's Encrypt Certificates

Maintainers, Slowloris/2, Kobold Letters - April 1st - 7th, 2024 - F5 SIRT - This Week in Security

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

F5 XC vk8s workload with Open Source Nginx

F5 XC vk8s open source nginx deployment on RE