Snatted address replacement

By default using SNAT forces the BIG-IP to replace the source IP address on requests it sends to the pool. The BIG-IP automatically undoes the translation when it responds back to the client to ensure the client accepts the response.

 

 

Could you provide more detail on what exactly you are trying to accomplish?

 

 

Why is the client going through the BIG-IP to talk with a domain controller? Why is the request then going to the internal VLAN when the original request came into the BIG-IP over the external VLAN? What traffic are you trying to load balance? What is the full path the traffic is taking and what objects on the BIG-IP do you want the traffic to go through (VIPs, SNAT's, etc)?

 

 

Aaron

The client is doing an 802.1x (PEAP) authentication via radius servers to the domain controller. So the sequence is laptop request>Cisco Switch>BigIP>Radius>active directory. The problem comes in when the radius is not local (is not on the internal VLAN). The request has to be snatted to go to a remote radius. The radius log entry then shows a snatted address for the Cisco Switch i.e. a generic address instead of a specific address. This is a security issue.

 

I would like to find a way to capture the Switch address, and send that to the radius instead of the snat address. If that could work, then we could use remote radius servers. Hope that is clearer. Thanks, Ken

 

You could recraft the packet, inserting an attribute-value pair using the type 4 NAS-IP-Address attribute, with the value being the *real* IP of the switch. Note that your client NAS as defined on your radius server will be the source IP address of the packet, or your SNAT address. Reference rfc 2865 for additional options with radius attributes.