NAT Exemption / Next-Hop Routing
Hey there,
I got a tricky situation here, let me try to outline it as simple as possible. I do have a BigIP LTM running 10.2.4HF7 here which has one Uplink-VLAN (public ip space), several internal VLANs (private ip space divided up into /24s) and one link VLAN which goes directly to a Cisco ASA firewall used for remote dialin and IPSEC site2site connections.
I'd like to have local connections (from one VLAN to the other) being routed and not NATed, that is, the source IP should stay intact, so if vlan1 wants to connect to vlan2, this should be possible and the source ip should not be changed. If the inside vlans try to access the internet, they should be NATed of course for internet access and if the inside vlans try to access a remote subnet which is behind an IPSEC site2site tunnel, the packets should also not be NATed and forwarded to the next hop which then takes care about throwing these packets into the IPSEC tunnel.
I've tried so many things now that I don't even recall them all, but basically, I think I have a misconception of how routing works on the BigIP.
Let's assume the following subnets: outside (internet facing) vlan: 110.0.0.0/24
inside vlans: 192.168.1.0/24 192.168.2.0/24
link subnet to the Cisco ASA firewall: 192.168.99.0/24
remote subnets: 192.168.100.0/24
I have added a route on the BigIP which routes traffic to 192.168.100.0/24 via 192.168.99.0/24 to specify the next hop. I've also added an automap SNAT for my internal vlans and things seemed to work just fine until I realized, that connections to the remote subnets did not keep their source IP, instead they were NATed to the ip on the link subnet (which is what automap does essentially) and thefore the packets did not find its way into the tunnel because the link subnet is not part of the IPSEC site2site tunnel configuration.
I've played with several irule examples I've found here in the forums but couldn't make it work, things like conditional SNAT, etc. and I think I must have a design flaw somewhere in my configuration and am hoping for some valuable input here.
If you have any questions, please feel free to ask. Thanks in Advance, Alex