Forum Discussion

Franky-frank-reg7's avatar
Franky-frank-reg7
Icon for Altocumulus rankAltocumulus
Sep 24, 2023

F5 SMTP Fast Template - SNAT Not working as expected

Hello all, I'm having issues with getting SMTP to work with the FAST templates. Specifically, I'm trying to configure an SMTP template with no SNAT option checked so the backend pool members receive...
application delivery
  • Paulius's avatar
    Paulius
    Oct 06, 2023

    Franky-frank-reg7 That is true but to simplify the configuration so that you reduce the man hours you might/will spend in the future troubleshoot a non-standard deployment of the F5 you should deploy it as option 1

Franky-frank-reg7's avatar
Franky-frank-reg7
Icon for Altocumulus rankAltocumulus
Oct 04, 2023

Just so it's clear, in this case we only need to preserve client IP as it comes in to the load balancer. The outbound traffic in the scenario above, applies when the server either needs to talk to the Internet or some core infrastructure service i.e DNS. Which does not require original server IP. The key thing is the servers need to see the real client IP, this is only th ingress component, for egress (Internet bound) traffic, there is no requirement to preserve original IP's.

 

So the question is, can I just SNAT on the forwarding IP VS for traffic leaving the server outbound? To my understanding, this would only change the server's IP as it's headed outbound. For traffic initiated from a client  inbound, it will hit the SMTP VS and return through original connection in the connection table on the F5. Is that not the case?

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Oct 06, 2023

      Franky-frank-reg7 That is true but to simplify the configuration so that you reduce the man hours you might/will spend in the future troubleshoot a non-standard deployment of the F5 you should deploy it as option 1

      • Franky-frank-reg7's avatar
        Franky-frank-reg7
        Icon for Altocumulus rankAltocumulus
        Oct 06, 2023

        I'm going to try both methods and reply back for closing the thread. One last question, for the option 1, where the isolated subnet is only routable through the F5. I'm assuming we need to create another IP forwarding VS for the management traffic i.e RDP, SNMP, WMI, etc to monitor and managed the server correct? So there will be one IP forwarding VS for server initiated traffic and another IP forwarding VS for inbound communications to the server, as shown in the picture below:

         

         

        Also for option 2,  I tried to configured the SNAT on the internal fowarding VS, where source is restricted to the server IP: 10.50.22x.150 but it didnt work. Is it better to configure global SNAT? Can you give some guidance for the option2? I've added some questions to the picture below: