Forum Discussion
AltostratusF5 LTM question automap
snat automap uses the egress vlan interface ip. by establishing a snat pool, and attaching, you can control what IP this translates to.
For the Client->F5->Server, consider these scenarios:
Routed, client source address goes to the server. Routes necessary back through BIG-IP on servers or servers gw
Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes, must insert in an application header or possibly in tcp options.
Snat Pool, client source is still managed on BIG-IP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.The SNAT automap feature may not use the intended translation address if a floating self IP is not available on the egress VLAN, or the floating self IP address was originally a static self IP address.
The SNAT Automap feature selects a translation address from the available self IP address in the following order of preference: Floating self IP addresses on the egress VLAN. Floating self IP addresses on different VLANs. Non-floating self IP addresses on the egress VLAN
The SNAT Automap feature selects a translation address from the available self IP address in the following order of preference:
Floating self IP addresses on the egress VLAN
Floating self IP addresses on different VLANs
Non-floating self IP addresses on the egress VLAN
Non-floating self IP addresses on different VLANs
Note: When there are multiple self IP addresses on the egress VLAN, the BIG-IP system alternates the addresses using a load balancing selection similar to the Least Connections load balancing method.
The selection of a floating self IP as translation address on a VLAN other than the egress VLAN is intended to avoid disruption in a high availability (HA) failover scenario. However, depending on the network routing configuration, selection of a self IP other than the egress VLAN may cause traffic disruption. F5 recommends that you ensure that you have configured floating self IP addresses on all VLANs from which you expect SNAT traffic to egress. Alternatively, you can mitigate the issue by using a SNAT pool with an IP address on the egress subnet VLAN as a member for the SNAT pool.
F5 iHealth will list Heuristic H698361 on the Diagnostics > Identified > Medium page if SNAT Automap is configured and a VLAN is configured without a floating self IP address. For VLANs that do not require a floating self IP address, such as VLAN dedicated as an HA VLAN, you can safely disregard the heuristic warning.
Important: SNAT Automap does not use non-floating self IP addresses that have been re-configured as floating self IP addresses. To convert a non-floating self IP address to become a floating self IP address for use with SNAT Automap, delete the non-floating self IP address first and then re-add the same self IP address as a floating self IP address. To delete the non-floating address from that VLAN, you must configure at least one other non-floating IP address on the associated VLAN.
Note: In BIG-IP 10.x, a floating self IP address is designated by selecting the Floating IP check box on the self IP address properties page. In BIG-IP 11.x and later, a floating self IP address is designated by selecting a floating traffic group on the self IP address properties page.
Hope this will Help
🙏
