Forum Discussion

adelossantos_16's avatar
adelossantos_16
Icon for Nimbostratus rankNimbostratus
Dec 06, 2011

SNAT = Secure NAt or SNAT = Source NAT ????

According to this F5 document:

 

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html1203505

 

 

States that:

 

secure network address translation (SNAT) translates the source IP address within a connection to a BIG-IP system IP address that you define. The destination node then uses that new source address as its destination address when responding to the request.

 

SNATs ensure that server nodes always send responses back through the BIG-IP system, when the servers default route would not normally do so. Because a SNAT causes the server to send the response back through the BIG-IP system, the client sees that the response came from the address to which the client sent the request, and consequently accepts the response.

 

SNATs ensure that the internal IP address of the server node remains hidden to an external host when the server initiates a connection to that host."

 

 

 

 

 

 

===

 

 

And then this F5 document:

 

 

http://www.f5networks.nl/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_4config/BIGIP_LTM_CONFIG_GD_9_4-14-1.html

 

 

 

"A SNAT is an object that maps an original client IP address (that is, a source IP address) to a translation address that you choose. Thus, a SNAT causes the BIG-IP system to translate the source IP address of an incoming packet to an address that you specify. The purpose of a SNAT is simple: to ensure that the target server sends its response back through the BIG-IP system rather than to the original client IP address directly.

 

 

.

 

.

 

 

Because the purpose of a SNAT is simply to change the source IP address of incoming packets, the term secure network address translation is a slight misnomer. A better way to define the SNAT acronym would be source network address translation, or source NAT."

 

 

 

 

----

 

 

Now im lost, for example here:

 

 

 

pool p.test {

 

snat disable

 

member 10.20.25.27:any

 

}

 

 

 

What this SNAT on the pool does ?? its for the client (incoming) or for the server node (outgoing) or for both ??

 

 

Thanks

 

 

 

config
design
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 06, 2011
    it specifies whether source address translation is allowed/disallowed when f5 sends traffic to pool member. if it is set to disable, the address translation won't be performed even snat is configured under virtual server configuration.

    e.g. 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}

[root@ve1023:Active] config  tcpdump -nni 0.0 port 80 and 'tcp[13] & 2!=0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
22:17:57.008470 IP 172.28.19.253.34004 > 172.28.19.79.80: S 4228331414:4228331414(0) win 5840 
22:17:57.008513 IP 172.28.19.79.80 > 172.28.19.253.34004: S 1267252982:1267252982(0) ack 4228331415 win 4380 
22:17:57.011564 IP 200.200.200.10.34004 > 200.200.200.101.80: S 3448841009:3448841009(0) win 4380 
22:17:57.012272 IP 200.200.200.101.80 > 200.200.200.10.34004: S 2690028714:2690028714(0) ack 3448841010 win 5792 

[root@ve1023:Active] config  b pool foo snat disable
[root@ve1023:Active] config  b pool foo list
pool foo {
   snat disable
   members 200.200.200.101:80 {}
}

[root@ve1023:Active] config  tcpdump -nni 0.0 port 80 and 'tcp[13] & 2!=0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
22:18:55.886280 IP 172.28.19.253.34017 > 172.28.19.79.80: S 2450241768:2450241768(0) win 5840 
22:18:55.886317 IP 172.28.19.79.80 > 172.28.19.253.34017: S 4210101896:4210101896(0) ack 2450241769 win 4380 
22:18:55.888366 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 
22:18:58.888405 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 
22:19:02.088387 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 
22:19:05.288661 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 06, 2011
    Also, to clarify, it's considered a secure NAT as only the clients can originate connections to the SNAT IP address. ie, if you enable SNAT the destination host cannot open a connection to the SNAT IP. Compare this with a full NAT where either the client or the server could open a connection to the other host via the translation address.

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Dec 06, 2011
    IMO... I agree with the second F5 doc referenced above... Its Source NAT... Because there is nothing secure about NAT... Even if it's implemented securely, NAT does NOT imply security. And NAT'ing does not improve security.

     

     

    Utilising NAT instead of a traditional packet filter doesn't make it any more secure. NAT is for where you run out of real addresses... Nothing more. Nothing less. Roll on IPv6

     

     

    H