Forum Discussion

BaltoStar_12467's avatar
Sep 14, 2015

BIG-IP : SNAT necessary if device is only gateway to internet ?

F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi

 

Our production BIG-IP devices are configured with virtual-servers with VIPs on public internet.

 

Backend sites/services are on internal subnet and have no route to internet other than through BIG-IP.

 

In this scenario is enabling SNAT necessary for backend sites/services to route response ( through BIG-IP ) to original client ( browser on www ) ?

 

Or are other mechanisms available ?

 

EDIT : More precisely, our backend servers are web-servers hosting various micro-sites & micro-services. In fact, some that require internet access ( to retrieve data from 3rd-party services such as Google Maps or Facebook ) do have their default gateway pointing to a forward-proxy-server we maintain specifically for that purpose. Others have their default gateway pointing to an internal switch ( no path to the internet ). AFAIK, no servers are configured with default route/gateway pointing to BIG-IP Self-IP.

 

  • if I understand you correctly then yes, source NAT is required as these internal servers have a private IP which makes them unroutable on the internet. if you don't source NAT the traffic will never get back to them.

     

    you do have some options on how to do the source NAT, i.e. automap, SNAT pool, ...

     

  • Yes

     

    you need to change source IP to make it can route back to F5 (SNAT , NAT)

     

    traffic pass VIP is not change source IP by default

     

  • I may be reading your question differently from the other responders. How is routing configured for your back-end servers? Does their default routing path send all traffic through the BigIP, such as via a default route or perhaps a self-IP is their default gateway? You stated, "have no route to internet other than through BIG-IP" which leads me to believe there is a means in place of routing traffic from the servers through the BigIP.

     

    In this scenario, a SNAT shouldn't be required for the servers to simply respond to client requests to a virtual service. The BigIP will perform address translation from the VIP to the back-end server, and conversely for response traffic.

     

    Now if the back-end servers initiate traffic outbound to the Internet (say, for updates or someone just wants to browse DevCentral), they will need some mechanism of address translation to have a publicly routed address to the outside world. SNAT is one method to accomplish this.

     

  • From my understanding about NAT/SNAT

     

    NAT is one-to-one (just map real IP address and NAT address)

     

    SNAT can be one-to-one or many-to-one (SNAT List) or many-to-many (SNAT pool)

     

    If you want to access real server , You can access NAT address and it route you to real IP server

     

    But You can't access real server from SNAT address (It's Secure NAT in full name though)

     

    everyone Please fix me if I'm wrong :)