Help with client IP filtering and SNAT

Here's the background: My F5 is at version 9.4.6.

 

 

I have a publicly published website which resolves to an IP of a virtual server setup on my F5 and which is listening for traffic on 443. That passes traffic off to an ISA 2004 array which has a web-publishing rule on it, with the intent to setup an SSL session between the requesting external system and the ISA 2004 server. Once that's established, the ISA2004 server connects to an internal webserver (reverse proxy setup).

 

 

If I don't use SNAT on the F5, the ISA server sees the client IP address (the F5 just forwards the traffic), but can't establish the SSL connection with the client because the client knows it's request went into one address, and is coming back from a different IP address. If I use SNAT, the traffic goes into and comes back from the F5 (the ISA sees the traffic as originating from the F5), and the SSL session between the external client and the ISA server is established without issue.

 

 

My problem is that I'd like to restrict the access to specific external client IP addresses. I thought I could do this at the F5 by using an iRule to match the client IP to an entry in a datagroup. To test this, I created a datagroup and the following iRule:

 

 

when CLIENT_ACCEPTED {

 

if { not [matchclass [IP::remote_addr] equals $::mySite_accessGroup] } {

 

log local0. "[IP::remote_addr] Does not Match IP check."}

 

}

 

 

The problem I'm seeing is that in the logs, it looks like the traffic is already SNATed at this point, so the only IP I see listed in the log is the F5's self-ip for my external VLAN.

 

 

Did I miss something or does anyone have any suggestions? I'm kind of new to F5s, and I'd appreciate any assistance.