With SNAT Automap enabled Performance L4 VIP - How to know the real client IP address ?

Hello,

You can enable the X forward header in the HTTP profile assigned to the VS by enabling the Insert X-Forwarded-For checkbox.

You can also setup an iRule:

when HTTP_REQUEST { HTTP::header replace X-Forwarded-For [IP::client_addr] }

The most common solution to this issue is to set up an X-Forwarded-For Header. Enabling this will tell the F5 to add in an HTTP Header that stores the original client IP address. There are a few ways to enable this on an F5, the most common being an iRule such as the one below:

when HTTP_REQUEST 
{ 
    HTTP::header insert X-Forwarded-For [IP::client_addr] 
}

or just enabling "Insert XFF" in your HTTP profile so that the F5 will do it for you. This article seems to be a perfect read for solving your issue.

If you have any more questions, I am sure I can help.

Will this work for VIP with non http port ?

Yes, if it is still HTTP protocol, with an HTTP profile.

how can we obtain the real client ip address if i am running on performance layer 4 which doesn't use http profile and pass to the back end server.

PLease check the below comment from rafaelbn

You could use an iRule to log to the big-ip internal syslog. After that you will need to get this information and correlate ir somehow.

when CLIENT_ACCEPTED { log local0. "Source IP: [IP::client_addr]" }

To correlate, you could try logging the server-side source port — [serverside {TCP::local_port}] — at the same time as the client-side source IP — [clientside {IP::remote_addr}]. I believe you can do this all when SERVER_CONNECTED. Like this (untested):

when SERVER_CONNECTED {
  log local0.info "Client [clientside {IP::remote_addr}] connected to [IP::server_addr]:[serverside {TCP::remote_port}] from port [serverside {TCP::local_port}]"
}