Forum Discussion
mnb_63148
Nimbostratus
NimbostratusSNAT question
If I a SNAT Pool with only 1 IP in the Member List, will Big-IP allow traffic initiated from the outside in and then translate that address to the IP in the Member List?
For example, if I have a...
A SNAT pool will translate traffic coming through the BIG-IP bound for a resource 'behind' it. So for example:
Client IP address - 10.100.100.100 Server IP address - 20.100.100.100 BIG-IP virtual server IP address - 10.10.10.10 SNAT pool member - 20.10.10.10
Client will initiate a connection the virtual server IP address. The virtual server being configured with the SNAT pool will translate the source IP address of the traffic to 20.10.10.10 and send along to the server at 20.100.100.100.
If for some reason a client sends traffic to the SNAT pool member (if routing is in place to allow this to happen), the BIG-IP will drop the traffic.
SNAT translation will only occur when traffic is destined to the virtual server IP address to which the SNAT pool is applied.
Cory_50405
Noctilucent
NoctilucentA SNAT pool will translate traffic coming through the BIG-IP bound for a resource 'behind' it. So for example:
Client IP address - 10.100.100.100 Server IP address - 20.100.100.100 BIG-IP virtual server IP address - 10.10.10.10 SNAT pool member - 20.10.10.10
Client will initiate a connection the virtual server IP address. The virtual server being configured with the SNAT pool will translate the source IP address of the traffic to 20.10.10.10 and send along to the server at 20.100.100.100.
If for some reason a client sends traffic to the SNAT pool member (if routing is in place to allow this to happen), the BIG-IP will drop the traffic.
SNAT translation will only occur when traffic is destined to the virtual server IP address to which the SNAT pool is applied.
mnb_63148Thanks, Cory. Just to be sure that I understand you correctly, let's say that there is no virtual server in play and a user initiates traffic to 20.10.10.10 (translated address for the SNAT pool), the LTM will drop the traffic and not translate to 20.100.100.100 (the server)? The reason why I am asking is because we have some traffic that routes through the LTM for the sole purpose of getting translated/SNAT'd to a public IP in order to talk to websites and other resources on the Internet. I just want to ensure that a user from the outside cannot initiate traffic to 20.10.10.10 (translated address) and reach 20.100.100.100 (the server). Thanks.- Cory_50405Correct, traffic destined to the SNAT pool address 20.10.10.10 will be dropped by the LTM. So it sounds like for your forward proxy setup, you have a forwarding virtual server with a different SNAT pool to ensure return traffic flow comes back through the LTM. For the same reason as before, traffic initiated from the outside bound for your SNAT pool applied to your forwarding virtual server will be dropped. The reverse translation will not be done by the LTM. It only works if the traffic arrives on the virtual server IP address.
- mnb_63148Thanks, Cory. We do not have a forwarding virtual server set up. We just have SNAT pools in place so that a server on a private network can initiate traffic to an address on the Internet. The SNAT gives the server a public IP. Thanks for answering my question.
- Cory_50405I see. Bad assumption on my part.
- mnb_63148No problem. Thanks for answering my question!