Forum Discussion

BaltoStar_12467's avatar
BaltoStar_12467
Sep 14, 2015

BIG-IP : SNAT necessary if device is only gateway to internet ?

F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi   Our production BIG-IP devices are configured with virtual-servers with VIPs on public internet.   Backend sites/services are on int...
application delivery
BIG-IP
default gateway
design
LTM
snat
Ed_Summers's avatar
Ed_Summers
Icon for Nimbostratus rankNimbostratus
Sep 15, 2015

I may be reading your question differently from the other responders. How is routing configured for your back-end servers? Does their default routing path send all traffic through the BigIP, such as via a default route or perhaps a self-IP is their default gateway? You stated, "have no route to internet other than through BIG-IP" which leads me to believe there is a means in place of routing traffic from the servers through the BigIP.

 

In this scenario, a SNAT shouldn't be required for the servers to simply respond to client requests to a virtual service. The BigIP will perform address translation from the VIP to the back-end server, and conversely for response traffic.

 

Now if the back-end servers initiate traffic outbound to the Internet (say, for updates or someone just wants to browse DevCentral), they will need some mechanism of address translation to have a publicly routed address to the outside world. SNAT is one method to accomplish this.