Getting return traffic from a server to the LTM without using SNAT?

Question

Hello, 
&nbsp;  
&nbsp; I wanted to see if anybody has an idea on how I can get past the following problem. 
&nbsp;  
&nbsp; In an environment where back end servers connect to both an LTM and a firewall on separate interfaces/VLANs, we have run into a problem where the application on the server is only seeing the BigIP as the source address.  We do have automap SNAT enabled which is what is causing the address translation in the first place.  This is needed because the routing on the servers would otherwise send return traffic to the firewall and not back through the LTM, and the firewall would drop this asymmetric connection. 
&nbsp;  
&nbsp; We have tried inserting the X-Forwarded-For HTTP header, but the application being used on the back end server isn't able to pick that up. 
&nbsp;  
&nbsp; So, is there anyway, if SNAT is disabled, that we could still get the server to return the traffic back through the LTM, although that would be against what the server's routing table says? 
&nbsp;  
&nbsp; Thanks!! 
&nbsp;  
&nbsp; Jeff 
&nbsp;

the_bhattman · Answer

Hi Jeff, 
&nbsp;      Since there is no exact detail of how the topology is setup I can only provide you avenues for you to investigate. 
&nbsp;  
&nbsp; But I had a similar requirement from a customer and the way I made this work was 
&nbsp;  
&nbsp; I created a VLAN on the switch where the nodes lived on. There default gateway was the switch.  However, I placed Policy Based Routing where if anything on address on the backend servers needed to talk to clients through the fireway I would push it through LTM.  Everthing else would go through the switch.  This way any vlan to vlan traffic would use the power of the switch rather then go through the LTM.  The LTM then had a route to the firewall with forwarding IP turned on. 
&nbsp;  
&nbsp; Hope this helps 
&nbsp; CB 
&nbsp;  &nbsp;

Forum Discussion

Getting return traffic from a server to the LTM without using SNAT?

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Getting Started

Getting Started with iRules: Directing Traffic

Getting Started with BIG-IP Next: Fundamentals

Get Started with WAAP Security Incidents

Getting Started with BIG-IP Next: Upgrading Instances