authentication based on client ip address on web server

The application would need to be coded to recognised the XFF header.

Is there any reason why you're needing to use SNAT ? The LTM is capable of preserving the SRC IP.

Thank you Thomson for your reply. SNAT is being used because the gateway of the server is the DC firewall. If we don't use SNAT how we can avoid asymmetric ? is there any solution

When you enable X-Forwarded-For (XFF) on the http profile, it stores the original client address in the X-Forwarded-For header in the HTTP request. It is up to the web server to do something intelligent with that information.

If you are using IIS are your webserver, then the ISAPI plug-ins are downloadable from the BigIP management GUI (scroll down on the default page after logging in). This allows the webserver to recognise the field and use it for logging purposes. The configuration required on other webservers varies, and google is your friend there.

However, as the other person to reply has noted, there's possibly no need to change the address at all. The only reason to use a SNAT (or SNAT automap) is to compel the traffic to return back through the LTM. If your network routing already does that, (ie, the default route on the webservers is via the LTM), then there's no need for a SNAT at all, and you can simply set destination address translation ('Address Translation') in the virtual server GUI to disabled.

As IanB has alluded to - Might be worth looking at your network and setting the LTM up as your default gateway.