Clarification of SelectiveSnat/iRule SNAT. Need help.

Question

Im trying to understand what the difference is between using SNAT AUTOMAP and what I call an iRule SNAT.  This is what I am attempting to accomplish:  If I have two different VS (that need to talk to each other) using 2 distinct pools (in the same subnet) and if I dont apply the SNAT AUTOMAP or iRule SNAT... the functionality of the application sometimes doesnt work.  From what I have been told... the iRule SNAT/AUTOMAP forces traffic back to the LTM for it to hold session state and not have Pool A go directly to Pool B since it is on the same ethernet segment. 
&nbsp;  
&nbsp; My iRule SNAT is this: 
&nbsp; when CLIENT_ACCEPTED { 
&nbsp; if { [matchclass [IP::client_addr] equals $::x_Hosts]} { 
&nbsp; snatpool x_SNAT 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp; x_Hosts = I dont understand the relevance of this. 
&nbsp; x_SNAT = is the snat pool IP.  Lets say 10.10.10.10 
&nbsp;  
&nbsp; Please help me understand what this is accomplishing.  Is this an alternative way of using SNAT AUTOMAP?  The ideal I was attempting is to not have everything use the self-ip interface so in case the application needs to monitor true source IP and mac-address.  Thank you for your time. 
&nbsp;

the_bhattman · Answer

Hi Eric,   
&nbsp;        You were told correctly that you since the client and server are on the same segment you need to use SNAT so that you have a return route going back to the same interface on the LTM. (symmetric).  Now you can use SNAT Automap or your custom snatpool on the VIP.  The disadvantage, besides losing the source address, is that it applies to all ip addresses.  With the iRule you can control which source IP address is SNAT'd and which one's aren't.  In your iRule you have it for specific clients.   If you use Automap then it automatically uses the self-ip interface.   You can however, use SNAT pool which can contain a single or a pool of specific ip address to SNAT other then self-ip.   
&nbsp;      
&nbsp;   I hope this helps   
&nbsp;      
&nbsp;   Bhattman

nit_67494 · Answer

Hi Bhattman, 
&nbsp; I have 2 F5 at DMZ as (active - passive) and I have F5 at internal zone also. If I configure VS at the Internal F5, and the pool members are inside my internal serverfarm, without automap and all my clients (users) can access to the VS. But if I configure the VS at DMZ-F5, I need to use automap in order to my clients to access the VS? what will it possible the cause? is it because my F5 has 2 self IP (active-passive)? so when the packet going back from my server to client don't know the symmetric traffic path? 
&nbsp;  
&nbsp; Another questions, if the server need to be accessed by internet users, I should configure the VS at DMZ F5, but what is the better approach, should I configure the pool member is the internal F5 IP or directly my server IP Address? if I put the internal F5 IP then there is additional hop. 
&nbsp;  
&nbsp; Thanks

Forum Discussion

Clarification of SelectiveSnat/iRule SNAT. Need help.

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

LTM Policy Options Clarification

SNAT pool persistence

SNAT IP address logging

Clarification about WebSocket and ASM

Understanding SNAT

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS