Forum Discussion
NimbostratusSNAT automap
A colleague of mine has created a SNAT below ltm snat def-automap { automap origins { 0.0.0.0/0 { } } } He says that is all that is needed in order to ensure that all the virtual servers (VS) on this LTM will be SNATed to the egress self-IP. Is this true? The servers behind the VS point to a router as their default gateway. I have always gone inside every VS and chosen SNAT and Automap to do this. Thanks!
9 Replies
Yes, that is true. It's essentially a global SNAT that will apply to all traffic destine for virtual servers. This is probably fine for simple setups but there are many applications that do not have a similar functionality as x-forward-for to find the source address after it's SNAT'd.
Anthony_PinedaSo once I have this in place I can leave SNAT inside the virtual server as None and I would still see incoming traffic as coming from the LTM self-IP?
- nitass
Employee
So once I have this in place I can leave SNAT inside the virtual server as None and I would still see incoming traffic as coming from the LTM self-IP?
yes
anyway, i prefer snat setting under virtual server to global snat because it is more granular (i.e. it is applied to traffic to virtual server only).
- I strongly suggest nitass's suggestion.
- Anthony_PinedaI tested this in the lab with a setting of None on the VS. Without specifying Automap within the VS configuration, the server still sees the original IP client (None setting) despite the presence of a global SNAT automap object.
nitass_89166Noctilucent
So once I have this in place I can leave SNAT inside the virtual server as None and I would still see incoming traffic as coming from the LTM self-IP?
yes
anyway, i prefer snat setting under virtual server to global snat because it is more granular (i.e. it is applied to traffic to virtual server only).
- I strongly suggest nitass's suggestion.
- Anthony_PinedaI tested this in the lab with a setting of None on the VS. Without specifying Automap within the VS configuration, the server still sees the original IP client (None setting) despite the presence of a global SNAT automap object.
dragonflymrCirrostratus
Hi,
Am I wrong that it will open LTM to any traffic directed to any of self IP's? If SNAT object with Automap and All Address is set and All Vlans as well selected then it will be possible to reach any servers in internal from external and vice versa? For example any computer in internal wit DG set to internal VLAN selfIP will be able to reach servers in external vlan, and any computer in external with DG set to external selfIP can reach servers in internal. DG is even not necessary to be set to selfIPs if static route will be created on computer. At least that is result of test I did today. So SNAT object by itself will be routing traffic via LTM even when there is no VS defined.
Piotr
