Forum Discussion

Luca_55898's avatar
Luca_55898
Icon for Nimbostratus rankNimbostratus
Aug 11, 2011

SNAT - Do i need it?

Hi,

 

 

We have a LTM which has a standard HTTP VIP with a pool of ISA proxy servers. SNAT automap is enabled for this VIP.

 

 

The guys who manage the proxys have said that they need to see the clients IP address rather than F5s IP, this is due to some authenticaion issue they have.

 

 

So the VIP is:

 

10.50.40.1

 

 

The nodes in the pool are all on the 10.55.55.0/24 subnet

 

The F5 will SNAT using the egress interface which is also on the 10.55.55.0/24 subnet.

 

 

So obviously if i disable SNAT the original client IP will be retained, the source address hitting the server won't be in the same subnet as the server so we need to make sure it has a route back to the original client.

 

 

In this type of setup is there a need for SNAT? This is on a totally internal network. The ISA servers will forward to the internet but does it matter what the original source IP was?

 

 

thanks,

 

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Luca

     

     

    SNAT is great in the one-armed setup whereby the LTM isn't the default gateway to ensure return traffic goes via the LTM, and that's the need I have here at my org. If you disable SNAT you'll need to ensure that there is a route back from the ISA servers to the original clients that goes via the LTM, else out of state issues will occur, for example. As for internet traffic the isa will proxy the traffic anyway so that will be the source as far as the internet webservers are concerned.

     

     

    You could add the x-forwarded-for profile to the VIP, whilst using SNAT, although that would require that the ISA server can read this field in the header. Not sure about ISA I'm afraid.

     

     

    N
  • That's a good point about 'out of state' issues. If SNAT is not used the ISA server will reply back using its default gateway, which is not the F5, asynchronous routing will occur.

     

    As you said a work around would be to set the default gateway of the ISA to the F5, we have a HA cluster so it would have to use the floating IP to ensure its always available.

     

    I looked into the x-forwarded header, also not sure if ISA supports it but I will investigate as i don't like the idea of not using SNAT.... anyone could logon to the server and change he gateway, whereas only a few people have access to the F5.