Forum Discussion

Jonathon_Page's avatar
Jonathon_Page
Icon for Nimbostratus rankNimbostratus
Aug 22, 2018

VPN and internet access issues - default gateway biting me.

Hi,

 

We currently have an F5 configured using the APM/LTM for SSL VPN.

 

 

For internet access we were using our web filtering appliances as a proxy setup as we don't allow split-tunnel. We are moving to NGFW and the proxies are going away. We've tried just removing the proxy configuration but the traffic hits the inside interface and then dies (I'm assuming it's because we have a static default route pointing to the firewalls DMZ IP). Our VPN is using an internally routable address and SNAT is off on it to allow users to use our VOIP software.

 

 

I've searched Dev Central on topics like PBR, VRF, etc and I can't find any good examples how to accomplish what I need to do. I've read discussions regarding using FastL4, but most of the comments are just that, and no actionable code (I've got some F5 experience, but most of it basic).

 

 

Back in my Cisco days, I would just put the outside (internet) in its own VRF, and I thought about using route domains, but I tried to create a new domain and move the external VLAN into it and I just got an error about it not being able to be moved (I'm wondering if this is because I have virtual servers using that IP scope?)

 

 

Thanks for any direction.

 

Jon

 

2 Replies

  • Hi, I finally figured things out by using a mix of FastL4 forwarding and an iRule to turn SNAT on or off based on source and destination IP.

     

     

    The FastL4 rule had a source of the VPN subnet, and a destination of any:any, scoped to the tunnel. The iRule was pretty simple, just an if that checked if from VPN and not to internal addressed, if so turn snat on, else set snat none.

     

    Thanks to the posters about PBR and FastL4 as these pointed me in the right direction.

     

  • Hi Jonathon

     

    Do you have any details on exactly what you configured to get this working? I have a similar issue and would like to get this working.