Forum Discussion

shadow82's avatar
Icon for Cirrus rankCirrus
Sep 13, 2023

Turn off SNAT selectively


I have F5 VE Act/Stb cluster running 16.1.3 build 0.0.12 with a single external VServer full of LTM policies that redirect traffic to internal VServer on the same F5 and next it's going towards resources behind F5 using it's internal network.

External and internal VServers do use SNAT (External SNAT pool with last IP in internal subnet. Internal VServers SNAT with AutoMap).

Recently I've been asked to prepare another VServer but this time - having pool member in public Internet.

My routing table is simple: reach every interesting internal subnet via internal interface and default route pointing to my Internet FW that does NAT, but SNAT started to be an issue.

Taking a look on Wireshark .pcap I see that:

F5 receives a request and forwards it to correct internal VServer. Internal VServer sends a request to pool member in Internet, but F5 is using internal pool SNAT IP, which will never be NATted. I see 3 TCP Syn with no answer and it gives up. See below screenshot: 

This is handshake attempt, when F5 tries to contact pool member in Internet, but it is using SNAT Pool Internal IP, which has no chances to get there.

I could solve this by an iRule, but I need a hint how to start it or some jibber jabber note about it|
Could you heip with it?

Or maybe my approach is wrong and I could put some rule into LTM Policy (I use them quite extensiveliy)

1 Reply

  • shadow82 The following should work for you but will most likely cause an issue when the response traffic comes back because the traffic will show the SNAT IP of the External F5 SNAT pool. Your best option here would be to create a NAT for the Internal F5 SNAT IP.

    when CLIENT_ACCEPTED priority 500 {
       if { [IP::addr [IP::client_addr] equals <external_VS_SNAT_POOL_IP>] }{
          snat none