Use VIP address as source

Question

Hello everyone, &nbsp;
How can I allow the VIP IP as a source when the Pool Member iniciates the connection on a specific port?
I tried with a NAT but it will NAT all the traffic I need only to NAT with when the pool member iniciates the traffic in a specific port. (Actually the NAT didn't work, I have a capture on a FW and the connection is using the self IP of the F5).&nbsp;
I tried with a SNAT and SNAT Pool but it doesn't worked either, I can see the self IP in the FW when the server iniciates the traffic.&nbsp;
I also tried with an iRULE, something like this:&nbsp;
when CLIENT_ACCEPTED { 
  if {[TCP::local_port] == 2196} { 
    snatpool SNAT_POOL_TEST&nbsp;
}
  pool airwatch-AWCM-2001
}&nbsp;
Thank in advance for your responses.&nbsp;
Regards, &nbsp;
Jose Charpentier F&nbsp;

kevin_stewart · Answer

Can you please elaborate? A NAT is going to be a simple destination translation from one (origin) IP to another, while a SNAT changes the source. Why would you want to use the VIP address as the source to the server - when it is otherwise the destination on the client side?

jose_charpentie · Answer

Hello Kevin, &nbsp;
When the connections are comming to the VIP from the customer (inbound) the traffic is being handle normally.&nbsp;
User -- Firewall -- F5 VIP (192.168.101.40) -- Node (10.156.10.92)&nbsp;
But when the NODE is the one that generates the traffic to Internet (outbound) I need the BigIP to use the VIP IP address as the source and not the self IP of the BigIP. The Firewall is allowing only the VIP IP address, and in the capture I am seeing the self IP (192.168.101.7) when using NAT or SNAT.&nbsp;
Node (10.156.10.92) -- F5 -- Firewall -- User&nbsp;
The NODE is also hosting other services, so I need to do this translation only when the NODE starts the traffic for example on port 2196.&nbsp;
Thank you for your repply.&nbsp;
Regards, &nbsp;
Jose Charpentier F&nbsp;

jana · Answer

For outbound traffic, you can try creating an SNAT address same as the VIP address and add the node ip address(es) in the Origin list. However, I'm not sure if you could do that for traffic from a specific port.

julio_medina · Answer

Hi Jose Charpentier,&nbsp;
Did you get this issue solved? i'm facing that same problem today and I need some help. I would appreciate so much.&nbsp;
Thnks&nbsp;

vinit_ajgaonkar · Answer

I think one way of doing this would be to create a NAT pool and add the LB VIP onto the NAT pool. Then apply this pool in the NAT translation configuration. That should take care of all the application traffic. However if you haved any healthchecks they will always originatge from the LB backend self IP.

Forum Discussion

Use VIP address as source

5 Replies

Recent Discussions

GCP F5 deployment - Active -Active with config Sync

IP Intelligence

BUG Query

Health Monitor via MGMT (DCDs)

Ansible modules for F5OS

Related Content

source address persistence maximum session timeout

How to rewrite the source IP address to an URL

CSV to Address External Datagroup File

ICMP Custom Source Address Monitor

Multiple source address on virtual server