Forum Discussion

Swilky's avatar
Swilky
Icon for Nimbostratus rankNimbostratus
Apr 26, 2020

SNAT 1:1 - Map client public IP to nat pool IP

I have a situation were we have a BIG IP F5 load balancer in front of a MS RRAS server acting as a VPN concentrator. When a user connects to the VPN the radius auth is proxied through a Cisco ISE instance to tie the user to an IP address, this allows us to create identity based firewall rules. The problem is at the moment RRAS is seeing all clients coming from the load balancer because we have SNAT enabled. In Cisco ISE you can only have one active session per endpoint ID and all users are comming through as the same endpoint ID (the load F5's internal SNAT address).

 

So my question, it is possible to setup SNAT in a way that each client will come from a unique SNAT address from a SNAT pool?

 

 

application delivery
BIG-IP
cisco ise
LTM
RRAS
snat

2 Replies

Sort By
  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Apr 28, 2020

    This isn't possible using SNAT pools.

    You might be able to use an iRule similar to what's described here.

    when CLIENT_ACCEPTED {
    snat "172.23.180.[getfield [IP::client_addr] . 4]"
}

    The iRule above doesn't require any SNAT object be applied to the Virtual Server.

    The iRule will use the last octet of the source IP to SNAT to 172.23.180.x.

    ∟ For example: Source = 1.1.1.50, SNAT = 172.23.180.50.

    • ZANOOB's avatar
      ZANOOB
      Icon for Cirrus rankCirrus
      Aug 29, 2023

      Hello Andrew,

      I am trying to have almost the same, however, to MAP the SNAP pool IP to be the same exact as the source.

      For example: if my client's IP is 172.1648.10 then SNAT also has to be 172.16.48.10. (one-to-one mapping).

      Can i apply the same irule (with SNAT set to none on the virtual server or SNAT set to SNAT pool?)

       when CLIENT_ACCEPTED

      { snat "172.16.[getfield [IP::client_addr].[getfield [IP::client_addr]}

      the last two octets will be replaced with the client's last two octets?

       Regards

      Zanoob