Forum Discussion
SNAT = Secure NAt or SNAT = Source NAT ????
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html1203505
States that:
secure network address translation (SNAT)
translates the source IP address within a connection to a BIG-IP system
IP address that you define. The destination node then uses that new
source address as its destination address when responding to the
request.
SNATs ensure that server nodes always send responses back through the BIG-IP system, when the servers default route would not normally do so. Because a SNAT causes the server to send the response back through the BIG-IP system, the client sees that the response came from the address to which the client sent the request, and consequently accepts the response.
SNATs ensure that the internal IP address of the server node remains hidden to an external host when the server initiates a connection to that host."
===
And then this F5 document:
http://www.f5networks.nl/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4config/BIGIP_LTM_CONFIG_GD_9_4-14-1.html
"A SNAT is an object that maps an original client IP address (that is, a source IP address) to a translation address that you choose. Thus, a SNAT causes the BIG-IP system to translate the source IP address of an incoming packet to an address that you specify. The purpose of a SNAT is simple: to ensure that the target server sends its response back through the BIG-IP system rather than to the original client IP address directly.
.
.
Because the purpose of a SNAT is simply to change the source IP address of incoming packets, the term secure network address translation is a slight misnomer. A better way to define the SNAT acronym would be source network address translation, or source NAT."
----
Now im lost, for example here:
pool p.test {
snat disable
}
What this SNAT on the pool does ?? its for the client (incoming) or for the server node (outgoing) or for both ??
Thanks
- nitassEmployeeit specifies whether source address translation is allowed/disallowed when f5 sends traffic to pool member. if it is set to disable, the address translation won't be performed even snat is configured under virtual server configuration.
[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 profiles { http {} tcp {} } } [root@ve1023:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve1023:Active] config tcpdump -nni 0.0 port 80 and 'tcp[13] & 2!=0' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 22:17:57.008470 IP 172.28.19.253.34004 > 172.28.19.79.80: S 4228331414:4228331414(0) win 5840 22:17:57.008513 IP 172.28.19.79.80 > 172.28.19.253.34004: S 1267252982:1267252982(0) ack 4228331415 win 4380 22:17:57.011564 IP 200.200.200.10.34004 > 200.200.200.101.80: S 3448841009:3448841009(0) win 4380 22:17:57.012272 IP 200.200.200.101.80 > 200.200.200.10.34004: S 2690028714:2690028714(0) ack 3448841010 win 5792 [root@ve1023:Active] config b pool foo snat disable [root@ve1023:Active] config b pool foo list pool foo { snat disable members 200.200.200.101:80 {} } [root@ve1023:Active] config tcpdump -nni 0.0 port 80 and 'tcp[13] & 2!=0' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes 22:18:55.886280 IP 172.28.19.253.34017 > 172.28.19.79.80: S 2450241768:2450241768(0) win 5840 22:18:55.886317 IP 172.28.19.79.80 > 172.28.19.253.34017: S 4210101896:4210101896(0) ack 2450241769 win 4380 22:18:55.888366 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 22:18:58.888405 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 22:19:02.088387 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 22:19:05.288661 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380
- hooleylistCirrostratusAlso, to clarify, it's considered a secure NAT as only the clients can originate connections to the SNAT IP address. ie, if you enable SNAT the destination host cannot open a connection to the SNAT IP. Compare this with a full NAT where either the client or the server could open a connection to the other host via the translation address.
- HamishCirrocumulusIMO... I agree with the second F5 doc referenced above... Its Source NAT... Because there is nothing secure about NAT... Even if it's implemented securely, NAT does NOT imply security. And NAT'ing does not improve security.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com