Forum Discussion
SNAT using Proxy SSL
- Apr 26, 2017
Its completely depend on Organization Network Setup. SNAT Automap uses the egress vlan interface IP. If you don't have visibility on Next hope setup, I will suggest you to configure SNAT Automap in VIP.
For the Client->F5->Server, consider these scenarios:
Routed, client source address goes to the server. Routes necessary back through F5 BIGIP on servers or servers gw
Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes.
Snat Pool, client source is managed on F5 BIGIP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.
Its completely depend on Organization Network Setup. SNAT Automap uses the egress vlan interface IP. If you don't have visibility on Next hope setup, I will suggest you to configure SNAT Automap in VIP.
For the Client->F5->Server, consider these scenarios:
Routed, client source address goes to the server. Routes necessary back through F5 BIGIP on servers or servers gw
Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes.
Snat Pool, client source is managed on F5 BIGIP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.
- crengifo_232216Apr 26, 2017Nimbostratus
Thanks f5_rock!
I was concerned about if the use of the Proxy SSL feature requires a special setting on the SNAT for the virtual server. So, based on your information, I can use the most affordable to the organization where I work.
- Samir_Jha_52506Apr 26, 2017Noctilucent
Cool. Proxy(ClientSSL/ServerSSL) SSL doesn't require any additional setting. I would suggest you to check existing VIP configuration(if any) in Same F5 device and make new vip config based on that. I mean whether you need SNAT automap option or not. You can enable SNAT automap, not any issue.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com