For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BaltoStar_12467's avatar
BaltoStar_12467
Dec 27, 2013

BIG-IP : virtual-server configuration for snat

BIG-IP 11.4.0 Build 2384.0 Final

 

vip-external-01 is enabled for vlan-external-01 and routes to pool-01 whose members live on vlan-internal-01. vip-external-01 has snat auto-map enabled.

 

vip-internal-01 is enabled for vlan-internal-01 and should be chosen as self-ip for traffic routed by vip-external-01 to pool-01

 

On vip-external-01 , is it also necessary to enable vlan-internal-01 ?

 

And on vip-internal-01 , is it also necessary to enable vlan-external-01 ?

 

More generally speaking, how to configure a simple network to support a browser-client request sent to vip and routed to the destination web-server with response traveling the reverse path ?

 

design
snat
snat automap
virtual server
vlan

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 28, 2013

    On vip-external-01 , is it also necessary to enable vlan-internal-01 ?

     

    No. Only the ingress VLAN needs to be enabled.

     

    And on vip-internal-01 , is it also necessary to enable vlan-external-01 ?

     

    No. Same reason.

     

    More generally speaking, how to configure a simple network to support browser-client request sent to vip and the routed to destination web-server with response following the reverse path back ?

     

    The simplest answer is a VIP pointing to a pool and an applied SNAT. You can optionally enable/disable specific VLANs to limit ingress traffic, but it's not absolutely required. The SNAT guarantees return routing.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 28, 2013

    When I create my SNAT Pool, should it consist of one or more Self IPs ? Is a SNAT Pool just a collection of Self IPs that BIG-IP dynamically selects and assigns as the request's origin IP ?

     

    A SNAT pool should NOT consist of self-IPs. It should rather contain a list of IP addresses (not self-IPs) in the desired subnet. Further, the IPs in the SNAT pool are not actually dynamically selected. Generally, one IP is used until it reaches port exhaustion.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 29, 2013

    the concept is bigip is default deny device. to allow traffic passing through bigip, object listener is required. there are 3 object listners (i.e. virtual server, snat and nat). the object listener is listening on ingress vlan. snat is also available under virtual server configuration (i.e. snat automap, snatpool).

     

    sol9038: The order of precedence for local traffic object listeners

     

    http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html

     

    for snat automap, selfip on egress vlan will be selected.

     

    sol7336: The SNAT Automap and self IP address selection

     

    http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7336.html

     

  • Jo_31162's avatar
    Jo_31162
    Icon for Nimbostratus rankNimbostratus
    May 05, 2014

    Hi all,

     

    I need to configure SNAT pool instead of automap.

     

    With "One Arm" configuration and two different Subnet for VIPs and Servers, which SNAT pool IP/Subnet is better to configure?

     

    Related to VIP Subnet, related to Servers Subnet or whatever?

     

    Thanks in advance

     

    Brgds