Forum Discussion

Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Feb 10, 2015

sNAT with AFM

Hi, LB is acting as default GW of servers and FW. We've been using iRules for firewalling and SNATing when needed. Now we want to start to use AFM and I am not sure what is best approach to do SNAT ...
Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Feb 10, 2015

Hmm, I though I can easly specify snat IP in the iRule and choose whatever IP I want. So are you saying that before I use any IP in the iRule for sNATing connections, I have to create any kind of failover object in traffic group using this IP?

 

I am just thinking, does it really need to respond to ARP requests since it will be always source IP.. But anyway, I think it should respond to ARP as it is part of LB network config. So thanks for tip, I would overlooked it.

 

StephanManthey's avatar
StephanManthey
Icon for Nacreous rankNacreous
Feb 10, 2015
Hi Zdenek, sooner or later you can expect the server to send a response and the address used via SNAT needs to be resolved via ARP. ( I stumbled across this a while ago.) There is one workaround. None of your virtual IPs (including SNATs) need to belong to locally attached networks (not in range of configured self IPs). But in this case the floating self IPs need to be used as next hop by your peripheral components to reach this virtual address space. The BIG-IP will route the traffic internally to the virtual address. In this case only the self IPs will be ARPed. Thanks, Stephan