NAT in LTM

Hi All,

Say there is a Public IP Mapped to Internal IP (say Public IP owned by us)1.1.1.1 ---> 10.1.1.1(As a member). When request from outside hits the VIP 1.1.1.1, the request is sent to destination 10.1.1.1.

Question: Say now a new connection is initiated from 10.1.1.1 to Some external IP say 5.5.5.5, will the Source be natted to 1.1.1.1 before sending out?(There is no existing connection, this is a new connection).

Do we need to do a SNAT also? Please advise.

Thanks

application delivery

LTM

eben_259100
Aug 28, 2017
Hi Rakeshvela

From what you have described, 1.1.1.1 is the Post-NAT IP address for F5 Virtual Server IP address 10.1.1.1 right?

For the question you asked, is 10.1.1.1 same as the self-ip for outbound connections? if yes, then outbound traffic will be initiated from this IP (10.1.1.1). if not, the self-ip for your outbound vlan will be used. Outbound connections to resources where F5 does not have a leg(vlan + self-ip) will be forwarded to your default gateway or next-hop ip address if static routes were set on the box. You will need to add this IP address to your internet accessible subnets in your NAT statement.

HTH Regards Eben.

preslav_ilevski
Cirrus
Aug 28, 2017
Hello Rakeshvela,

In my opinion it depends on the DG for the internal server with IP 10.1.1.1.

If it is not the f5 box it will not be nat-ed.

Please see the link below:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/7.html

Hope that will help.

Regards,

Preslav
eben_259100
Cirrostratus
Aug 28, 2017
Hi Rakeshvela

From what you have described, 1.1.1.1 is the Post-NAT IP address for F5 Virtual Server IP address 10.1.1.1 right?

For the question you asked, is 10.1.1.1 same as the self-ip for outbound connections? if yes, then outbound traffic will be initiated from this IP (10.1.1.1). if not, the self-ip for your outbound vlan will be used. Outbound connections to resources where F5 does not have a leg(vlan + self-ip) will be forwarded to your default gateway or next-hop ip address if static routes were set on the box. You will need to add this IP address to your internet accessible subnets in your NAT statement.

HTH Regards Eben.
- Rakeshvela_3309
  Nimbostratus
  Aug 28, 2017
  Hi Eben,
  
  The scenario is like this
  
  Say From some External IP 130.1.1.1 ----> 1.1.1.1(Coming to say this is my Public IP)
  
  1.1.1.1 ---> has members 192.168.1.1 F5 will have the session table for this and when the return traffic hits F5, it will forward accordingly.
  
  Now, say 192.168.1.1 (Member) ---> 150.3.2.2
  
  Will F5 auto NAT it to 1.1.1.1 before sending out? Please advise.
  
  Thanks
- eben_259100
  Cirrostratus
  Aug 28, 2017
  what is the default gateway on 192.168.1.1(member)? 1. if the default gateway points back to F5, then you need to create a forwarding VS for f5 to forward the traffic outbound because it's a default deny box. about NATing, Source address translation is set to None by default. so you might have to use automap or snatpool if neceesary. Also set protocol to all when creating the Forwarding-IP VS. 2. if the default gateway points to another network device other than F5, this will depend on your internet access policy.
  
  HTH
eben
Nimbostratus
Aug 28, 2017
Hi Rakeshvela

From what you have described, 1.1.1.1 is the Post-NAT IP address for F5 Virtual Server IP address 10.1.1.1 right?

For the question you asked, is 10.1.1.1 same as the self-ip for outbound connections? if yes, then outbound traffic will be initiated from this IP (10.1.1.1). if not, the self-ip for your outbound vlan will be used. Outbound connections to resources where F5 does not have a leg(vlan + self-ip) will be forwarded to your default gateway or next-hop ip address if static routes were set on the box. You will need to add this IP address to your internet accessible subnets in your NAT statement.

HTH Regards Eben.
- Rakeshvela_3309
  Nimbostratus
  Aug 28, 2017
  Hi Eben,
  
  The scenario is like this
  
  Say From some External IP 130.1.1.1 ----> 1.1.1.1(Coming to say this is my Public IP)
  
  1.1.1.1 ---> has members 192.168.1.1 F5 will have the session table for this and when the return traffic hits F5, it will forward accordingly.
  
  Now, say 192.168.1.1 (Member) ---> 150.3.2.2
  
  Will F5 auto NAT it to 1.1.1.1 before sending out? Please advise.
  
  Thanks
- eben
  Nimbostratus
  Aug 28, 2017
  what is the default gateway on 192.168.1.1(member)? 1. if the default gateway points back to F5, then you need to create a forwarding VS for f5 to forward the traffic outbound because it's a default deny box. about NATing, Source address translation is set to None by default. so you might have to use automap or snatpool if neceesary. Also set protocol to all when creating the Forwarding-IP VS. 2. if the default gateway points to another network device other than F5, this will depend on your internet access policy.
  
  HTH

Forum Discussion

NAT in LTM

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

suppressed messages in ltm log

NAT and VS Forwarding Issue

Wildcard SSL Certificate Deployment on F5 LTM

BIGIP LTM - Outbound DESTINATION NAT

LTM Natting

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS