Forum Discussion
BIG-IP : SNAT necessary if device is only gateway to internet ?
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi
Our production BIG-IP devices are configured with virtual-servers with VIPs on public internet.
Backend sites/services are on internal subnet and have no route to internet other than through BIG-IP.
In this scenario is enabling SNAT necessary for backend sites/services to route response ( through BIG-IP ) to original client ( browser on www ) ?
Or are other mechanisms available ?
EDIT : More precisely, our backend servers are web-servers hosting various micro-sites & micro-services. In fact, some that require internet access ( to retrieve data from 3rd-party services such as Google Maps or Facebook ) do have their default gateway pointing to a forward-proxy-server we maintain specifically for that purpose. Others have their default gateway pointing to an internal switch ( no path to the internet ). AFAIK, no servers are configured with default route/gateway pointing to BIG-IP Self-IP.
if I understand you correctly then yes, source NAT is required as these internal servers have a private IP which makes them unroutable on the internet. if you don't source NAT the traffic will never get back to them.
you do have some options on how to do the source NAT, i.e. automap, SNAT pool, ...
- kridsanaCirrocumulus
Yes
you need to change source IP to make it can route back to F5 (SNAT , NAT)
traffic pass VIP is not change source IP by default
- Ed_SummersNimbostratus
I may be reading your question differently from the other responders. How is routing configured for your back-end servers? Does their default routing path send all traffic through the BigIP, such as via a default route or perhaps a self-IP is their default gateway? You stated, "have no route to internet other than through BIG-IP" which leads me to believe there is a means in place of routing traffic from the servers through the BigIP.
In this scenario, a SNAT shouldn't be required for the servers to simply respond to client requests to a virtual service. The BigIP will perform address translation from the VIP to the back-end server, and conversely for response traffic.
Now if the back-end servers initiate traffic outbound to the Internet (say, for updates or someone just wants to browse DevCentral), they will need some mechanism of address translation to have a publicly routed address to the outside world. SNAT is one method to accomplish this.
- kridsanaCirrocumulus
From my understanding about NAT/SNAT
NAT is one-to-one (just map real IP address and NAT address)
SNAT can be one-to-one or many-to-one (SNAT List) or many-to-many (SNAT pool)
If you want to access real server , You can access NAT address and it route you to real IP server
But You can't access real server from SNAT address (It's Secure NAT in full name though)
everyone Please fix me if I'm wrong :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com