Internet access on F5 VPN with SNAT and split-tunnel disabled

Question

Hi.  I'm relatively new to the F5 environment, and we have a 4200 appliance set up to provide remote access services.   We deployed a VPN profile and connect using the Edge client and local access is fine, but internet access is not.  We managed to get internet working using a local proxy server, but that didn't work for non-standard ports (other than 80 and 443).&nbsp;
In doing some research it looks like without the proxy server, the internet traffic is trying to go out through the outside interface (which is blocked) and not the inside interface and based on the way the routing table is configured, this behavior is correct.&nbsp;  I come from the Cisco AnyConnect VPN world where we would use Policy Based Routing, I've searched and found multiple articles, but nothing clear.  Some talk about using Virtual services instead of static routes but being a new to the F5 this is something that I've not had any experience.&nbsp;Any Configuration guides or samples that anyone can provide would be appreciated.&nbsp;
Thanks&nbsp;

leonardo_souza · Answer

You are using F5 APM module.
However the APM uses internally another module called LTM.
Virtual Servers are LTM objects.&nbsp;
You first need to split the problem in 2 small problems:&nbsp;
1 - Internet traffic must go inside the VPN&nbsp;
2 - The F5 must have access to the Internet to be able to route the traffic to the Internet&nbsp;
First point, requires APM configuration.
Second point, requires LTM configuration and routing in your network.&nbsp;
Very important is to make sure traffic returning from the Internet goes back to F5 unit and 
consequently the VPN tunnel.
SNAT can help with that.&nbsp;
Some documentation that can help you with that:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-12-1-0.html&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-12-1-1.html&nbsp;

Forum Discussion

Internet access on F5 VPN with SNAT and split-tunnel disabled

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

SSL VPN Split Tunneling and Office 365

VPN Split Tunneling: The Benefits and Risks

Protect an application exposed on Internet with F5 XC WAAP

Disabling Weak Ciphers

Disabling Specific Weak Cipher Suites