For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

robert_blair_75's avatar
robert_blair_75
Icon for Nimbostratus rankNimbostratus
Oct 05, 2009

SNAT Auto-map

My knowledge is in version 4.5 and we are implementing new 9.4 LTMs. My questions is:

 

 

In version 4.5, I defined SNAT-Automap under a non-floating self IP for the external links.

 

Under version 9.4, I have a “default gateway” virtual server defined with SNAT-Automap enabled.

 

 

With outbound traffic (http, http, ftp, etc..), it appears that the source ip address is being translated to the floating self ip address (10.10.10.100) for the link.

 

 

Shouldn't the source ip address be translated to the non-floating ip address (10.10.10.200) for the link ?

 

 

- Virtual server: default_gateway

 

- Address: 0.0.0.0/0.0.0.0

 

- Pool: default_gateway_pl (members: 10.10.10.1)

 

- Service: 0

 

- SNAT Pool: Auto Map

 

 

- Link - router ip: 10.10.10.1

 

- Floating Self ip: 10.10.10.100

 

- Self ip: 10.10.10.200

 

 

Thanks ….

 

config
design

4 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Oct 05, 2009
    According to the documentation on ask.f5.com I believe it uses the floating self-address.

     

     

    The SNAT Automap feature selects a translation address from the available self IP address in the following order of preference:

     

    * Floating self IP addresses on the egress VLAN

     

    * Floating self IP addresses on different VLANs

     

    * Non-floating self IP addresses on the egress VLAN

     

    * Non-floating self IP addresses on different VLANs

     

     

    (Click here) to see the article.

     

     

    I hope this helps

     

    CB

     

     

     

  • robert_blair_75's avatar
    robert_blair_75
    Icon for Nimbostratus rankNimbostratus
    Oct 05, 2009
    This help, so with this being said if I failover to our backup device the traffic will have the same source ip.

     

     

    Thanks ….

     

  • Steven_Le_Roux_'s avatar
    Steven_Le_Roux_
    Icon for Nimbostratus rankNimbostratus
    May 25, 2012
    Hi,

     

     

    I'm reviving this thread because I have a question relating those elements.

     

     

    Is the SNAT Automap algorithm traffic group aware ?

     

     

    I explain,

     

     

    If I have two devices, dev0, dev1 with two traffic groups tg0, tg1.

     

    10.0.0.10 is the virtual address on tg0.

     

    10.0.1.1 is the floating on tg1 and 10.0.1.2 is a floating on tg0.

     

     

    Connection will be "snated" with 10.0.1.2 in a normal situation.

     

     

    If fail over occurs with dev0 and dev1 now handles tg0 and tg1, existing connections will continue on dev1 as expected, but what about new connections ? Is it possible that the snat automap on dev1 attribute some of the floating from tg1 for connections to 10.0.0.10 ?

     

     

    If so, this is problematic when you fail back because you will have 10.0.0.10 failing back to dev0, through tg0, but establised connections with 10.0.1.1 through tg1 will be lost, remaining on dev1.

     

     

    Any information about this ?
    • Bernhard_M's avatar
      Bernhard_M
      Icon for Nimbostratus rankNimbostratus
      Sep 22, 2015
      old question but still unanswered :) Yes, automap is traffic-group aware. It uses only floating-self-ips in the same traffic-group. If non is available it falls back to the non-floating-self-ip.