Forum Discussion
Miguel_111028
Nimbostratus
NimbostratusChange the source ip of the request packet for a virtual server
I want to know the way (if possible) to change the source ip address of the request packet managed by a virtual server for the one of the internal self ips of a LTM bigip(static or floating self ip), and not only the destination ip address as I read in the manuals:
In the Destination IP Address header of the request packets, theBIG-IP system changes the destination IP address (that is, thevirtual server address) to the actual address of the selected node. Inthis case, the source address in the packets (that is, the address of theclient that initiated the connection) remains unchanged.
That is, like the big ip acts as a proxy for the traffic managed for that virtual server.
I have searched the manuals, but I have not found the way to make this.
I have a BIG-IP LTM 6400 9.x version.
Thanks a lot in advance.
10 Replies
hoolioCirrostratus
Hi,
You can use SNAT's to perform source address translation. This could either be on load balanced traffic sent to the servers, or on the outbound connection for hosts originating traffic through the BIG-IP to other networks. The LTM config guide should provide good detail on picking the optimal SNAT for your scenario. If you have questions, reply here.
Aaron
Miguel_111028Hi Aaron,
Yes, I have thought to use SNAT already, but as I read in the configuration guide, SNAT is used strictly for outgoing connections:
You use a SNAT strictly for outgoing connections that one or more internal
nodes initiates. A single SNAT can map original IP addresses (also known
as original IP addresses) to public addresses in any of these ways:
What I want is to translate the origin ip address for the traffic manager by a virtual server, that is, inbound traffic.
Thanks you.- hoolioSNATs are used to translate traffic leaving the BIG-IP. If applied to a virtual server, a SNAT can translate the source address of a packet going to the destination server.
Could you elaborate on what traffic you're trying to perform origin or source address translation for?
Aaron - Miguel_111028Hi Aaron,
Thanks for the reply.
I will try to explain in more detail what I need to implement.
I have an LTM active-active configuration and I want to perform source address translation on the load balanced traffic sent to an https virtual server (I need to make source address translation because the default gateway on the load balanced web servers isn’t set to the big-ip's floating self ip on the internal VLAN, in fact the web servers are located in a different vlan than the big-ip's internal vlan). But, because my network arquitecture, I need that the translated source address be fixed and different for each active big-ip node, the ideal would be to use the active floating self ip of each node for the translated source address. It is possible to implement that using SNAT in an active-active configuration? please can you explain the way to make that?
Another doubt I have, in an LTM active-active HA configuration, it is possible to set a different default gateway or route table for each big-ip node?, I need to implement that to ensure traffic return along the same path (router) it entered.
Thanks you a lot. - hoolioThe source address translation would occur between the BIG-IP and the destination server(s). You can use SNAT automap on the VIP to allow LTM to dynamically select the (or one of) the floating IP addresses on the egress VLAN. Or if you want to specify a source IP address that LTM should use, you can create a SNAT list and apply it to the VIP.
There is a general thought that using an active-active configuration is risky in that there is a tendency to load both BIG-IP's past 50% capacity. At that point, if one unit fails, then the remaining unit cannot handle the total load. Other people might have opinions, but we've never implemented active-active for any of our customers.
Aaron - Hoolio's observatins about the limitations of active-active are correct, but there are some specific considerations for gateways & SNAT that you can use to support active-active configurations.
You can associate a non-default SNAT with a specific UnitID for an active-active system: Click here
You can also associate a gateway pool with a specific UnitID as described in the manual section about configuring gateway failsafe for redundant pairs: Click here
HTH
/deb - hoolioThanks for the info, Deb. I'm definitely not an expert on active-active--I just know it's value has been limited for our customers.
Aaron - Miguel_111028Thanks you for the reply, both deb and hoolio. Sorry for the delay in the reply, but I have been sick these days.
Deb, when you refer to “non-default” SNAT, are you mean to create a SNAT Translation list?
Thanks you. 
Raj_Zucre_RamirCan we use iRules to source a TCP check using a SNAT IP as a source IP? The ASP that runs the host only allows us to connect using our SNAT IP.
Thanks!
Raj- hoolioHi Raz,
Are you wanting to specify a source IP address for LTM to use to send monitor traffic? If so, and you have a redundant pair of LTMs, this cannot work. Both units in the pair need to perform the monitor checks in order to determine the state of the pool member. And two separate network devices cannot use the same IP address at the same time. You'll need to have the service provider allow requests from multiple IP addresses.
If I've misunderstood your scenario, could you provide more information on what you're trying to do?
Thanks, Aaron
