Process order of Virtual Server and SNAT

Per: sol9039: A virtual server with a SNAT pool takes precedence over matching the NAT , a virtual server will take precedence over a NAT.

If a request originating from the NAT's origin IP address also matches a virtual server configured on the BIG-IP system, the virtual server will process the connection and the NAT translation address will be applied to the outgoing packet.

1. A SNAT ("secure" or "source" NAT) will change the client's true source address to another address specified. This is usually employed in environments where the back end server has a direct route back to the client (around the BIG-IP). A SNAT profile applied to the virtual server will change the client's source address to an address controlled by the BIG-IP so that return traffic is forced back through the BIG-IP interface. A SNAT "Automap" configuration uses the (most appropriate) BIG-IP self-IP for source address translation. If, however, you might have more than 65,535 simultaneous unique connections, you can build a SNAT pool with multiple addresses. The BIG-IP will use all of the ports available in one pool IP address before cycling to the next IP address.

There are caveats to each, but generally speaking, a (standard) virtual server is a "one-to-many", where a single VIP destination address is translated to many back end server addresses, a NAT is a "one-to-one" where one NAT address is applied to one origin address, and a SNAT is a "many-to-one" where many hosts (clients) can be associated to one SNAT address.