Forum Discussion
6 Replies
- ka_49032Nimbostratus
Since Auto Map means you will automatically SNAT traffic to your floating self ip, the obvious answer is to disable the Auto Map and change it to None. Now requests to the node are made with the original client ip address that connects to the BIGIP.
However if this a HTTP application it is common that they look at HTTP headers to get the clients IP address. The easiest way would then be to using a BIGIP HTTP profile enable sending the HTTP header "X-Forwarded-For", which will contain the clients IP address. The HTTP server can then look at this header and determine the client ip address.
You can also add custom HTTP headers using an iRule. If it is not an HTTP application, you can use the first suggestion, or iRules to make a more granular policy so that not all connections are using SNAT etc.
- JinshuCirrus
enable X-forwarder in the http profile will see the real source address in the packet header.
-Jinshu
- dfosborne2_2224Nimbostratus
created this means by which to "Kill SNAT AutoMap":
https://devcentral.f5.com/codeshare/kill-snat-automap
I have some changes I need to make to the doc and code (I want to offer up all 3 methods Ive used/tested with the most recent method proving to be the solution that we are running with).
A few restrictions are that you must have selfIP/floatingIP presence in your pool members' subnet and your pool members must be linux.
- Adel_Farhan_194Nimbostratus
Hi,
Regarding Auto Map,you can find the real source address by enabling X-Forwarded-For as you mentioned. and well get it in X-Forwarded-For field of HTTP headers.
Thank you for that information and your support
Best Regards,
- Bart_18836Nimbostratus
Obviously that works only for HTTP applications , if you are running non-HTTP applications which require to see original client IP you will have to change desing of your network and make F5 default gateway for your servers. This requires additional configuration on the BigIP such as Forwarding VIP etc.
- SAPNimbostratus
Bart
Can you please let me know what kind of changes we can do to achieve the same if the VIP has FastL4 profile and its a non http vip. Vip is used for Sftp connections