Forum Discussion

tolinrome_13817's avatar
Icon for Nimbostratus rankNimbostratus
Feb 11, 2014

snat vs automap, whats the difference?

I'm trying to see the difference between the snat and automap for the Source Address Translation option.


Currently I have traffic coming in to the F5 using automap. What though specifically does that mean? And why wouldn't I use SNAT? All the nodes, (servers in our lan), are not configured to have the F5 as its default gateway. I have a lot of virtual servers configured and I'm not sure how the self-ip plays a role in the nating or snating if at all.


From what I understand (but could be wrong) an external client request is directed to the vip ip (since our firewall nats it there) and the destination IP is that of the vip. The F5 then translates the destination IP to that of the IP of the pool member. Then on the way back out the source is translated to the of the vip. But what about the selfip?


Can someone please explain all this? Thanks!


8 Replies

  • JRahm_128324's avatar
    Historic F5 Account

    snat automap uses the egress vlan interface ip. by establishing a snat pool, and attaching, you can control what IP this translates to.


    For the Client->F5->Server, consider these scenarios:


    1. Routed, client source address goes to the server. Routes necessary back through BIG-IP on servers or servers gw


    2. Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes, must insert in an application header or possibly in tcp options.


    3. Snat Pool, client source is still managed on BIG-IP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.


  • Thanks JRahm, Help me understand a little clearer please. Since I have chose Automap is this how my traffic is flowing?: Example: External IP from client request: VIP: Node


    External IP from client is nated to the vip, the F5 translates the destination address of to that of the node of On the way back out the F5 translates the source ip address of to that of the vip at




    I'm still not sure if the self ip is being used in my scenario or at all and if it is how? What also confuses me is that the options I have are one of two, either snat or automap, not Snat Automat as if it's one.


  • JRahm_128324's avatar
    Historic F5 Account

    client connection: external ip -> vip ip


    server connection: BIG-IP self ip -> server ip


    • Adriano_Bezerra's avatar
      Icon for Altostratus rankAltostratus

      SNAT is for changing the SOURCE address. Without SNAT, packets from the client arriving at the VIP retain the client's true source address. SNAT is then important if the downstream server knows how to route back to that address directly (not back through the F5). SNAT will change the client source to an address controlled by the F5 to essentially force return traffic back through the proxy.


    • a_basharat's avatar
      Icon for Nimbostratus rankNimbostratus
      JRahm, So looking at that, using a single F5 to load balance across several Servers, Do we really need to configure a Floating IP Address then? The way you described it is not..., Is it only for HA pairs?
    • Vijay_E's avatar
      Icon for Cirrus rankCirrus
      Floating IP is usually required for HA. You don't need it for single F5.
  • JRahm_128324's avatar
    Historic F5 Account

    also, you can do:


    tcpdump -ni 0.0


    and that will show you the flow for client and serverside connections. Of course if you are in a one-armed setup (one vlan), you can just capture on the vlan interface itself.