Forum Discussion
Nimbostratusshould client see the SNAT IP
Hi All,
I need to understand here do my client see the SNAT IP during the TCP connection / data flows ?
As i see in one of the client application screenshots they are able to see the self IP which is communicating to back end nodes.
I suppose the client should only see the VIP IP not the SNAT IP. If the client will be able to see SNAT IP isn't that a security hole ?
Any explanations will be much appreciated.
Thanks Soumen Abhishek
Hey Soumen
Can you please explain a bit further regarding the different traffic flows? When is the client's seeing the SNAT address?
Since the BIG-IP is a Full Proxy, there will be one TCP connection between the Client and the BIG-IP and one TCP connection between the BIG-IP and the Server.
You are correct that when a client communicates with the VIP, it will only see traffic between itself and the VIP. And on the server side, if you have SNAT enabled on your virtual server, the server side connection will see the SNAT IP address.
To give you an example, here is the traffic flows of my client, communicating with the BIG-IP and the BIG-IP with the server. The .33 addresss is my floating self-IP address on that VLAN:
[root@bigipcore02:Active:Changes Pending] config tmsh show sys connection cs-server-addr 10.10.15.245 Sys::Connections 10.10.10.111:42012 10.10.15.245:80 10.10.15.33:42012 10.10.15.10:80 tcp 25 (tmm: 0) noneIs it possible for you to share the printscreen of the traffic?
volodh_214395Hi,
If you want F5 use VIP IP to communicated with the the client use following iRule. Otherwise, the client will see self ip of F5.
when CLIENT_ACCEPTED { snat [IP::local_addr] }
SAPHi Volodh,
Is that default behaviour ?
Thanks
