Forum Discussion

adelossantos_16's avatar
adelossantos_16
Icon for Nimbostratus rankNimbostratus
Dec 06, 2011

SNAT = Secure NAt or SNAT = Source NAT ????

According to this F5 document:     http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html1203505     States that:   secure netw...
config
design
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 06, 2011
it specifies whether source address translation is allowed/disallowed when f5 sends traffic to pool member. if it is set to disable, the address translation won't be performed even snat is configured under virtual server configuration.

e.g. 

[root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}

[root@ve1023:Active] config  tcpdump -nni 0.0 port 80 and 'tcp[13] & 2!=0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
22:17:57.008470 IP 172.28.19.253.34004 > 172.28.19.79.80: S 4228331414:4228331414(0) win 5840 
22:17:57.008513 IP 172.28.19.79.80 > 172.28.19.253.34004: S 1267252982:1267252982(0) ack 4228331415 win 4380 
22:17:57.011564 IP 200.200.200.10.34004 > 200.200.200.101.80: S 3448841009:3448841009(0) win 4380 
22:17:57.012272 IP 200.200.200.101.80 > 200.200.200.10.34004: S 2690028714:2690028714(0) ack 3448841010 win 5792 

[root@ve1023:Active] config  b pool foo snat disable
[root@ve1023:Active] config  b pool foo list
pool foo {
   snat disable
   members 200.200.200.101:80 {}
}

[root@ve1023:Active] config  tcpdump -nni 0.0 port 80 and 'tcp[13] & 2!=0'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
22:18:55.886280 IP 172.28.19.253.34017 > 172.28.19.79.80: S 2450241768:2450241768(0) win 5840 
22:18:55.886317 IP 172.28.19.79.80 > 172.28.19.253.34017: S 4210101896:4210101896(0) ack 2450241769 win 4380 
22:18:55.888366 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 
22:18:58.888405 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 
22:19:02.088387 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380 
22:19:05.288661 IP 172.28.19.253.34017 > 200.200.200.101.80: S 802990352:802990352(0) win 4380