For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

joek_44162's avatar
joek_44162
Icon for Altostratus rankAltostratus
Nov 12, 2013

Disabling Snat

Hello, I have a question about disabling snat on a virtual server. Currently in this environment when there is a need to disable snat, we point the gateway on the server to use the F5 floating self...
design
IheartF5_45022's avatar
IheartF5_45022
Icon for Nacreous rankNacreous
Nov 12, 2013

The most obvious response is that you should change your topology so that the server and F5 are in one subnet (with the F5 the default route for the server), and the F5/router in another subnet, with the router the default route for the F5, and a network route to the server subnet pointing to the F5, on the router.

 

To answer the question you actually asked, I think yes, that will work, although you have to try it in your particular network - this is because the router will get arp responses for the server IP from the server MAC, but will see incoming packets from the server IP with another MAC (the F5) - this may confuse some router types or those who have some sort of security lockdowns (like IP Source Guard). I would seriously consider changing your topology if that's possible.

 

Also, be careful about "timeout indefinite" settings - can lead to session table filling up with zombie sessions.