Forum Discussion

Srikar's avatar
Srikar
Icon for Altostratus rankAltostratus
Apr 01, 2021

Understanding SNAT

SNAT pool is configured but source translation is set to None on Virtual Server and there is a pool attached to it which has Allow SNAT as yes? Does translation happens in this case when client sends a request to server? As per my understanding it shouldn’t but I’m seeing source ip from snat pool list for server side connection.

  • Yes, if you have such configuration as this is outside the F5 Virtual servers (VIP) configuration and it works for all traffic matching this SNAT object. The idea is if you want to use the F5 devices just as NAT/SNAT devices without load balancing, you use those objects. You read the article below on how this is done:

     

     

    https://support.f5.com/csp/article/K47945399

     

     

    Please also read this as if you have VIP with snat pool or auto map and NAT and SNAT separate objects the VIP SNAT config takes priority over the NAT and SNAT objects. If the VIP does not do source translation then if there are matching NAT and SNAT objects, they are used as the NAT has higher priority than the SNAT. If there is no NAT object and the VIP does not do translation, then the SNAT is used.

     

     

    https://support.f5.com/csp/article/K9038

  • To add a bit of clarification, when a packet arrives on the BIG-IP system, and the destination IP address in the packet matches both a host virtual server's Destination Address and a NAT's NAT Address, the virtual server is selected over the NAT (assuming the packet also matches the virtual server's other configuration settings, such as Destination Port, Source Address, and Protocol). Once the host virtual server is selected to process the packet though, nothing in the matching NAT's configuration applies to that traffic. However, if the virtual server's Source Address Translation option is set to None and the source IP address in the packet matches a separate SNAT "listener" object's Origin setting, the system will translate the source IP address for the server-side connection using the SNAT's translation settings. Such a SNAT listener object can be configured in the GUI at Local Traffic > Address Translation : SNAT List.

  • Yes it shouldn't happen if source translation is set to None on the VIP. Having "Allow SNAT" on the pool just means that the pool will accept traffic that is translated by a VIP with source translation enabled.

     

    Check if you have SNAT list (one to one ip mapping) enabled under the F5 LTM configuration as F5 may do translation if it is also configured threre not only under the VIP, otherwise it could be a bug and check then the bug tracker ( https://support.f5.com/csp/bug-tracker?sf189923893=1 )

     

     

    https://support.f5.com/csp/article/K47945399

     

     

     

    This is also helpfull to understand the SNAT/NAT translation order:

     

     

    https://support.f5.com/csp/article/K9038

     

     

    and

     

     

    https://support.f5.com/csp/article/K7820#types

  • Thanks for the response. I see SNAT List defined with Translation set to use SNAT Pool. So, As per my understanding if SNAT list is defined, F5 will do the translation even SNAT set to None on VS. is it correct?

    • Yes, if you have such configuration as this is outside the F5 Virtual servers (VIP) configuration and it works for all traffic matching this SNAT object. The idea is if you want to use the F5 devices just as NAT/SNAT devices without load balancing, you use those objects. You read the article below on how this is done:

       

       

      https://support.f5.com/csp/article/K47945399

       

       

      Please also read this as if you have VIP with snat pool or auto map and NAT and SNAT separate objects the VIP SNAT config takes priority over the NAT and SNAT objects. If the VIP does not do source translation then if there are matching NAT and SNAT objects, they are used as the NAT has higher priority than the SNAT. If there is no NAT object and the VIP does not do translation, then the SNAT is used.

       

       

      https://support.f5.com/csp/article/K9038