How to Configure a PAT scenario in F5 LTM

Question

Hi &nbsp;
I have three backend servers to be patted on a public ip listening on a specific port.I have gone through SNAT and normal NAT scenario.&nbsp;
BUT PAT the same way as any Virtual Server on a specific port and i rules which will translate ip only for patted backend servers otherwise for requests to any other server will go via external gateway.&nbsp;
Please help with PAT scenario and setup.&nbsp;
Thanks
Karan&nbsp;

nitass · Answer

can you give some example what you want?&nbsp;

karan12_154818 · Answer

Requesting Pat'ed IP address for 
Source: 
Server1 = 10.x.x.x 
Server2 = 10.y.y.y 
Server3 = 10.z.z.z 
Destination: 74.xy.xy.xy
Port: w&nbsp;
All server1 to server3 patted to destination on that port w.&nbsp;

nitass · Answer

All server1 to server3 patted to destination on that port w.

can you try virtual server with snat irule command (with port parameter)? you can check source and destination before applying snat.
snat
https://devcentral.f5.com/wiki/irules.snat.ashx
anyway, i think it won't fully work because port may not be available (port is being used by another connection which goes to the same destination). example is shown in trace1.
also, due to cmp architecture, intra communication between tmm may be needed. this may not be good in term of performance. example is in trace2.
sol14358: Overview of Clustered Multiprocessing (11.3.0 and later)
http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14358.html
// config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 5
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 200.200.200.0/24] and [IP::addr [IP::local_addr] equals 172.28.24.1/32] } {
    snat 172.28.24.91 1111
  }
}
}

// trace 1

client1 is trying to open 2 connections (200.200.200.101:2222 and 200.200.200.101:4444) to the same destination (172.28.24.1:80). connection2 is reset. rst_cause is [0x1d5486c:1604] Unable to obtain local port.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0:nnn -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes
20:47:17.865788 IP 200.200.200.101.2222 &gt; 172.28.24.1.80: S 2002056986:2002056986(0) win 5840 (mss 1460,sackOK,timestamp 1767696883 0,nop,wscale 7) in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
20:47:17.866987 IP 172.28.24.91.1111 &gt; 172.28.24.1.80: S 2002056986:2002056986(0) win 5840 (mss 1460,sackOK,timestamp 1767696883 0,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd flowtype=129 flowid=5700010E1800 peerid=5700010E2C00 conflags=2A4 inslot=63 inport=55 haunit=1 priority=0 peerremote=00000000:00000000:0000FFFF:C8C8C865 peerlocal=00000000:00000000:0000FFFF:AC1C1801 remoteport=2222 localport=80 proto=6 vlan=4094
20:47:17.871805 IP 172.28.24.1.80 &gt; 200.200.200.101.2222: S 2876593243:2876593243(0) ack 2002056987 win 5792 (mss 1460,sackOK,timestamp 1377190663 1767696883,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd flowtype=65 flowid=5700010E2C00 peerid=5700010E1800 conflags=CA4 inslot=63 inport=55 haunit=1 priority=0 peerremote=00000000:00000000:0000FFFF:AC1C1801 peerlocal=00000000:00000000:0000FFFF:AC1C185B remoteport=80 localport=1111 proto=6 vlan=4093
20:47:17.871601 IP 172.28.24.1.80 &gt; 172.28.24.91.1111: S 2876593243:2876593243(0) ack 2002056987 win 5792 (mss 1460,sackOK,timestamp 1377190663 1767696883,nop,wscale 7) in slot1/tmm1 lis= flowtype=136 flowid=5700596FCB00 peerid=0 conflags=B2 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
20:47:17.874989 IP 200.200.200.101.2222 &gt; 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767696897 1377190663) in slot1/tmm0 lis=/Common/fwd flowtype=65 flowid=5700010E2C00 peerid=5700010E1800 conflags=CA4 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:AC1C1801 peerlocal=00000000:00000000:0000FFFF:AC1C185B remoteport=80 localport=1111 proto=6 vlan=4093
20:47:17.875002 IP 172.28.24.91.1111 &gt; 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767696897 1377190663) out slot1/tmm0 lis=/Common/fwd flowtype=129 flowid=5700010E1800 peerid=5700010E2C00 conflags=2A4 inslot=63 inport=55 haunit=1 priority=0 peerremote=00000000:00000000:0000FFFF:C8C8C865 peerlocal=00000000:00000000:0000FFFF:AC1C1801 remoteport=2222 localport=80 proto=6 vlan=4094

20:47:20.944645 IP 200.200.200.101.4444 &gt; 172.28.24.1.80: S 3101243297:3101243297(0) win 5840 (mss 1460,sackOK,timestamp 1767699965 0,nop,wscale 7) in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
20:47:20.946324 IP 172.28.24.1.80 &gt; 200.200.200.101.4444: R 0:52(52) ack 3101243298 win 0 out slot1/tmm0 lis=/Common/fwd flowtype=65 flowid=5700010E1D00 peerid=0 conflags=CA4 inslot=63 inport=55 haunit=1 priority=0 rst_cause="[0x1d5486c:1604] Unable to obtain local port" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

// trace 2

client1 is opening a connection to 172.28.24.1:80. outbound connection is handled by tmm0 (slot1/tmm0) but inbound is handled by tmm1 (slot1/tmm1) due to cmp. intra-communication between tmm is needed.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:44:17.441299 IP 200.200.200.101.2222 &gt; 172.28.24.1.80: S 3478016357:3478016357(0) win 5840 (mss 1460,sackOK,timestamp 1767516467 0,nop,wscale 7) in slot1/tmm0 lis=
20:44:17.442481 IP 172.28.24.91.1111 &gt; 172.28.24.1.80: S 3478016357:3478016357(0) win 5840 (mss 1460,sackOK,timestamp 1767516467 0,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd
20:44:17.443479 IP 172.28.24.1.80 &gt; 172.28.24.91.1111: S 57552532:57552532(0) ack 3478016358 win 5792 (mss 1460,sackOK,timestamp 1377010244 1767516467,nop,wscale 7) in slot1/tmm1 lis=
20:44:17.443596 IP 172.28.24.1.80 &gt; 200.200.200.101.2222: S 57552532:57552532(0) ack 3478016358 win 5792 (mss 1460,sackOK,timestamp 1377010244 1767516467,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd
20:44:17.452004 IP 200.200.200.101.2222 &gt; 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767516477 1377010244) in slot1/tmm0 lis=/Common/fwd
20:44:17.452024 IP 172.28.24.91.1111 &gt; 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767516477 1377010244) out slot1/tmm0 lis=/Common/fwd

Forum Discussion

How to Configure a PAT scenario in F5 LTM

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP in https that redirect to another vip in https

can you help with getting a BigIP virtual edition serial key

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

Using Distributed Cloud DNS Load Balancer with Geo-Proximity and failover scenarios

Especial Load Balancing Active-Passive Scenario (I)

Especial Load Balancing Active-Passive Scenario (II)

wccp configuration for SSL Orchestrator

Javascript injecting systems effect on web application end users - a scenario review

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS