Forum Discussion

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Apr 02, 2014

SNAT question

If I a SNAT Pool with only 1 IP in the Member List, will Big-IP allow traffic initiated from the outside in and then translate that address to the IP in the Member List?

 

For example, if I have a server at 10.1.1.1 and I create a SNAT pool translating that IP to 1.1.1.1, if a device from the Internet tries to initiate traffic to 1.1.1.1, will the LTM allow that traffic in and then translate it to 10.1.1.1 or will the translation only take place if 10.1.1.1 initiates the traffic?

 

Thanks.

 

  • A SNAT pool will translate traffic coming through the BIG-IP bound for a resource 'behind' it. So for example:

     

    Client IP address - 10.100.100.100 Server IP address - 20.100.100.100 BIG-IP virtual server IP address - 10.10.10.10 SNAT pool member - 20.10.10.10

     

    Client will initiate a connection the virtual server IP address. The virtual server being configured with the SNAT pool will translate the source IP address of the traffic to 20.10.10.10 and send along to the server at 20.100.100.100.

     

    If for some reason a client sends traffic to the SNAT pool member (if routing is in place to allow this to happen), the BIG-IP will drop the traffic.

     

    SNAT translation will only occur when traffic is destined to the virtual server IP address to which the SNAT pool is applied.

     

  • A SNAT pool will translate traffic coming through the BIG-IP bound for a resource 'behind' it. So for example:

     

    Client IP address - 10.100.100.100 Server IP address - 20.100.100.100 BIG-IP virtual server IP address - 10.10.10.10 SNAT pool member - 20.10.10.10

     

    Client will initiate a connection the virtual server IP address. The virtual server being configured with the SNAT pool will translate the source IP address of the traffic to 20.10.10.10 and send along to the server at 20.100.100.100.

     

    If for some reason a client sends traffic to the SNAT pool member (if routing is in place to allow this to happen), the BIG-IP will drop the traffic.

     

    SNAT translation will only occur when traffic is destined to the virtual server IP address to which the SNAT pool is applied.

     

    • mnb_63148's avatar
      mnb_63148
      Icon for Nimbostratus rankNimbostratus
      Thanks, Cory. Just to be sure that I understand you correctly, let's say that there is no virtual server in play and a user initiates traffic to 20.10.10.10 (translated address for the SNAT pool), the LTM will drop the traffic and not translate to 20.100.100.100 (the server)? The reason why I am asking is because we have some traffic that routes through the LTM for the sole purpose of getting translated/SNAT'd to a public IP in order to talk to websites and other resources on the Internet. I just want to ensure that a user from the outside cannot initiate traffic to 20.10.10.10 (translated address) and reach 20.100.100.100 (the server). Thanks.
    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Correct, traffic destined to the SNAT pool address 20.10.10.10 will be dropped by the LTM. So it sounds like for your forward proxy setup, you have a forwarding virtual server with a different SNAT pool to ensure return traffic flow comes back through the LTM. For the same reason as before, traffic initiated from the outside bound for your SNAT pool applied to your forwarding virtual server will be dropped. The reverse translation will not be done by the LTM. It only works if the traffic arrives on the virtual server IP address.
    • mnb_63148's avatar
      mnb_63148
      Icon for Nimbostratus rankNimbostratus
      Thanks, Cory. We do not have a forwarding virtual server set up. We just have SNAT pools in place so that a server on a private network can initiate traffic to an address on the Internet. The SNAT gives the server a public IP. Thanks for answering my question.