Guys, Im trying to understand what exactly happens when address translation is enabled on a VIP. I assumed once enabled it was reading settings from the address translation section on the GUI (NATs, SNATs etc), and applying from there once triggered with matching source IP. Im likely way off with that, as ive never looked into this in any great detail, things have just worked away nicely in background. Basically now i am trying to troubleshoot an issue on a VS, that has address translation tick box enabled, yet the client IP is preserved in the server side connection, and im trying to understand what is preserving client IP. Does address translation tick box preserve the client IP, or is it that something is mis-configured?? v11. No automap enabled on VIP. Thanks in advance guys ;)

Address Translation on the VIP basically means allow (or not) destination address translation. In normal circumstances you would want this ticked so the destination address is translated from the VIP address to the pool member address. Hope this helps, N

Hi nathan.. thanks for the response... I would have thought that is default behaviour i.e. for an F5 to receive a connection from a client, and translate the dest address to the available pool member. Are you saying for this to work we must tick address translation on every VIP? When would be a case NOT to use address translation?

Are you saying for this to work we must tick address translation on every VIP? yes. anyway, when you configure host virtual server (not network or wildcard virtual server), it will be enabled by default. When would be a case NOT to use address translation? e.g. load balancing gateway

thanks mate... much appreciated ;)

Address translation query

nitass
Employee
Aug 14, 2014
the default gateway for the proxy servers is another VIP on the same F5, which load balances to external FWs.... i.e. not the self IP

i think when proxy server initiates a new connection to internet, it will hit firewall virtual server but return traffic (to client) will match existing connection which was created by proxy virtual server (when received traffic from client).
superd_88943
Nimbostratus
Aug 14, 2014
Just to confuse things.... the default gateway for the proxy servers is another VIP on the same F5, which load balances to external FWs.... i.e. not the self IP
nitass
Employee
Aug 14, 2014
Im wondering without automap, does the F5 on the server side connection use the client address to talk to servers, thats kind of what im seeing in TCPDUMPs i.e. client source IP address on both sides of the connection.

yes.

what is proxy's default gateway? is it bigip?
superd_88943
Nimbostratus
Aug 14, 2014
hi nathan..

i dont want address translation, its working fine as is... its basically a VS with two proxy servers in the pool, and the proxy servers obviously need to see source IP address for policies, reporting etc.

What im confused on is how the traffic is getting back through the F5 without auotmap..

Im wondering without automap, does the F5 on the server side connection use the client address to talk to servers, thats kind of what im seeing in TCPDUMPs i.e. client source IP address on both sides of the connection.

Obviously that will explain my concerns...

Thanks again!!
- nathe
  Cirrocumulus
  Aug 14, 2014
  yes it uses the client's source IP address. if the proxy servers' default gateway isnt the big-ip but you need to see client's source ip address could you SNAT and then amend the http profile to insert x-forwarded-for header? the proxy would need to be able to interrogate this header though. this would insert a value of the client's source IP address
nathe
Cirrocumulus
Aug 14, 2014
you would need to configure source address translation on the VIP (e.g. automap) or have a the default gateway of the pool member as the f5 self-ip for return traffic to traverse the f5 back to the client.
superd_88943
Nimbostratus
Aug 14, 2014
Another quick question on this nathan...

For the VS in question, the client/source IP is preserved when traversing F5. Can i ask how does my pool member knows to talk back through the F5. I assumed it would try talk direct to client... with no automap enabled?

Or is address translation coming into play in some form or other...

Sorry, hope my explanation makes sense...
superd_88943
Nimbostratus
Aug 14, 2014
thanks mate... much appreciated ;)
nitass
Employee
Aug 14, 2014
Are you saying for this to work we must tick address translation on every VIP?

yes. anyway, when you configure host virtual server (not network or wildcard virtual server), it will be enabled by default.

When would be a case NOT to use address translation?

e.g. load balancing gateway
- nathe
  Cirrocumulus
  Aug 14, 2014
  Thanks Nitass, beat me to it ;-)
nitass_89166
Noctilucent
Aug 14, 2014
Are you saying for this to work we must tick address translation on every VIP?

yes. anyway, when you configure host virtual server (not network or wildcard virtual server), it will be enabled by default.

When would be a case NOT to use address translation?

e.g. load balancing gateway
- nathe
  Cirrocumulus
  Aug 14, 2014
  Thanks Nitass, beat me to it ;-)
superd_88943
Nimbostratus
Aug 14, 2014
Hi nathan.. thanks for the response...

I would have thought that is default behaviour i.e. for an F5 to receive a connection from a client, and translate the dest address to the available pool member.

Are you saying for this to work we must tick address translation on every VIP?

When would be a case NOT to use address translation?