For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Daniel_55334's avatar
Daniel_55334
Icon for Altostratus rankAltostratus
Apr 15, 2015

NAT on LTM or firewall?

We are going to add LTM to a customer network to do outgoing ISP load balance.   Internet router --- LTM --- firewall --- core switch   Firewall currently performs NAT for outgoing Internet tra...
application delivery
design
LTM
BinaryCanary_19's avatar
BinaryCanary_19
Historic F5 Account
Apr 15, 2015

It's all up to you. If you are not making any decisions based on Source IP, then it doesn't really matter where you NAT.

 

If you are using for example, Source Address Affinity persistence, then you may want to do the NAT on the LTM.

 

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Apr 16, 2015
Hi, Maybe I am wrong but if NAT (using F5 definition of NAT) is used to access internal servers then source IP is preserved, only destination IP is changed - Am I wrong? Source IP is changed only if SNAT is used for accessing servers (strange config I guess but possible). I would say that using BIG-IP device to perform just NAT seems to be like not utilizing 99% of features of the device. Not an expert here but I would change this setup so: Internet router --- firewall --- LTM --- core switch Then for outgoing traffic (initiated from LAN to Internet) SNAT can be configured on LTM (probably best practice is rather to set wildcard virtual server (VS)?) For traffic coming from Internet to servers in LAN appropriate VSs should be created. Piotr