Forum Discussion

David_123856's avatar
David_123856
Icon for Nimbostratus rankNimbostratus
Jul 21, 2014

Is it possible to change Source IP of AAA HTTP Traffic

I've followed the steps in this doc (https://devcentral.f5.com/articles/one-time-passwords-via-an-sms-gateway-with-big-ip-access-policy-manager) about setting up SMS one time pins and have it all working via the Email method, but would like to change over to the HTTP form method.

 

The issue I have struck is that the outgoing HTTP post from the F5 to the SMS Form is from the external Self-IP of the F5 appliance (which is a private address) and not routable. I have no control over the IP addressing of the F5 appliance and have been asked if its possible to NAT the request on the F5 to a rel world IP that the Comms team can then work with.

 

Does anyone know if there is a way to change the SourceIP of the AAA request from the F5 Appliance?

 

6 Replies

  • You are likely going to have to create a dummy VS which then allows you to use snat automap or snatpools (or even an iRule using the snat command).

     

    APM is a little inflexible in the way you can control how certain things are delivered by the BIG-IP out, but we've always historically used a dummy VS to override some of the undesired behaviours.

     

    Once you create the dummy VS, just points the APM settings to the VS instead of the HTTP server, and of course have the HTTP server as the pool member for the VS.

     

    • David_123856's avatar
      David_123856
      Icon for Nimbostratus rankNimbostratus
      Ta, I'll give that one a try. So the only thing that I'll have to be careful of is the VS will only have the IP as a pool member, so if the SMS provider changes IPs I'll have an issue yeah? Any other things to look out for?
    • MiLK_MaN's avatar
      MiLK_MaN
      Icon for Nimbostratus rankNimbostratus
      Yes, if the SMS provider changes IP's, you will run into some problems. If the SMS provider uses hostnames, it is possible to write a script that will resolve the DNS and then modify the pool member with the results. I'd avoid this is you can and potentially ask the SMS provider how often they change the IP, then establish the risk vs reward of whatever avenue you go down.
  • You are likely going to have to create a dummy VS which then allows you to use snat automap or snatpools (or even an iRule using the snat command).

     

    APM is a little inflexible in the way you can control how certain things are delivered by the BIG-IP out, but we've always historically used a dummy VS to override some of the undesired behaviours.

     

    Once you create the dummy VS, just points the APM settings to the VS instead of the HTTP server, and of course have the HTTP server as the pool member for the VS.

     

    • David_123856's avatar
      David_123856
      Icon for Nimbostratus rankNimbostratus
      Ta, I'll give that one a try. So the only thing that I'll have to be careful of is the VS will only have the IP as a pool member, so if the SMS provider changes IPs I'll have an issue yeah? Any other things to look out for?
    • MiLK_MaN_61922's avatar
      MiLK_MaN_61922
      Icon for Nimbostratus rankNimbostratus
      Yes, if the SMS provider changes IP's, you will run into some problems. If the SMS provider uses hostnames, it is possible to write a script that will resolve the DNS and then modify the pool member with the results. I'd avoid this is you can and potentially ask the SMS provider how often they change the IP, then establish the risk vs reward of whatever avenue you go down.