Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5.
yes unless you also have snat list configuration.
It is enabled only on server-vlan. If I understand correctly when the server itself is originating connection outside it will hit VS 0/0. How does this configuration applies when connection is originating from another subnet (for example behind FW) to server IP address (not VS1). Connection will be dropped/rejected? Should VS 0/0 listen on all vlans to allow such connections?
yes connection will be rejected. bigip is default deny device. to allow traffic, object listener (i.e. virtual server, snat, nat) is required.
sol9038: The order of precedence for local traffic object listeners
https://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html