Forum Discussion
NimbostratusProcess order of Virtual Server and SNAT
Hi, exports:
I'm a new to F5. I have some questions about virtual server and SNAT or NAT。 1. NAT can use destination address of virtual server for NAT address。 so, how does F5 do when a IP packet which destination IP is NAT address come in? 2. virtual server can configure source address translation, but I don't understand it how to work.
I research it in F5 and Google, but can't find answer.
Thanks for help.
8 Replies
EmBee_57573please tell me what you want to achieve, then I can help you. virtual servers are IP addresses to which client connects to get to the service you are providing (ie. webapplication). you can do snat to get the tcp connection from BIG-IP to server setup with the source ip address of the BIG-IP. NAT is ment for outgoing traffic to internet in general.
Yawei_131024For example, I create a HTTP virtual server: destination address is 192.168.20.100 and service port is 80. The internal server IP is 172.16.1.1. Meanwhile, I create a SNAT that NAT address is 192.168.20.100 and original IP is 172.16.1.1. So, that's the question: 1. How does F5 do if it accept a HTTP connection from client. 2. How does F5 do if it accept a ping from client. Thanks for your reply.- Yawei_131024Sorry, It is a NAT table, does not a SNAT table
- Kevin_Stewart
Employee
Per: sol9039: A virtual server with a SNAT pool takes precedence over matching the NAT , a virtual server will take precedence over a NAT.
If a request originating from the NAT's origin IP address also matches a virtual server configured on the BIG-IP system, the virtual server will process the connection and the NAT translation address will be applied to the outgoing packet.
- A SNAT ("secure" or "source" NAT) will change the client's true source address to another address specified. This is usually employed in environments where the back end server has a direct route back to the client (around the BIG-IP). A SNAT profile applied to the virtual server will change the client's source address to an address controlled by the BIG-IP so that return traffic is forced back through the BIG-IP interface. A SNAT "Automap" configuration uses the (most appropriate) BIG-IP self-IP for source address translation. If, however, you might have more than 65,535 simultaneous unique connections, you can build a SNAT pool with multiple addresses. The BIG-IP will use all of the ports available in one pool IP address before cycling to the next IP address.
There are caveats to each, but generally speaking, a (standard) virtual server is a "one-to-many", where a single VIP destination address is translated to many back end server addresses, a NAT is a "one-to-one" where one NAT address is applied to one origin address, and a SNAT is a "many-to-one" where many hosts (clients) can be associated to one SNAT address.
- EmBee_57573
I think you do not need the nat part of the game. It will work.
You will have two sessions: 1. Client to vip addresss: clientip=a, vip=b 2. F5 backend to poolmember i.e. Server ( f5ip address=c. Serverip=s)
If you do not turn on automap on the virtual server, c=a. If you turn on automap, c=self ip addres of the f5 of the backend vlan.
First thry to do it without Your nat configuration, you are making it complicated while the f5 will so the trick for you
- Yawei_131024The source IP will be change if configure automap or SNAT in source address translation,right? Thanks
- Kevin_Stewart
In other words, a NAT can be like a "poor man's" virtual server, and is typically used in scenarios where you 1. don't want a virtual server for some reason, and 2. you don't need to load balance. If neither of those are true for you, use a virtual server instead of a NAT. A SNAT on the other hand is very useful in virtual server configurations where routing is not guaranteed.
