Forum Discussion

Daniel_55334's avatar
Daniel_55334
Icon for Altostratus rankAltostratus
Aug 27, 2008

Using NAT and SNAT at the same time

Customer have setup like this. They have VS that act like reverse proxy. The backend servers for these VS are not located in their network. They have internal servers, located behind BIG-IP, that need to access these VS. SNAT pool is configured on these VS.

 

These internal servers also need to communicate with outside servers directly. So NAT for these internal servers are configured.

 

As BIG-IP will use the more specific match for address translation, so now internal servers would use the NAT ip to access the backend servers of the VS, as well as to access the outside servers directly.

 

Here is my question. Can they use the SNAT ip to access backend servers of VS, but the NAT ip to talk with outside servers directly?
config
design
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Aug 27, 2008
    You'd have to have an iRule to handle the logic of when to use SNAT vs. NAT, and then you have to have some sort of virtual server that passes those outbound connections to apply that iRule to.

     

     

    Denny
  • Daniel_55334's avatar
    Daniel_55334
    Icon for Altostratus rankAltostratus
    Aug 28, 2008
    Thanks for the reply.

     

    However I just checked that, on the backend server, the source ip coming in is the SNAT pool ip address of the VS rather than the NAT ip address of the client. Doesn't BIG-IP choose the more specific match for the outgoing source translation?
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Aug 28, 2008
    I think I glossed over where you said "reverse proxy" here so I was confused on what was "internal"...it's going to depend on where the request originates and to what address. If a connection is made to the VIP that happens to be configured to SNAT, that will override any forwarding behavior through a NAT, and the BIG-IP won't change the session midstream to use the NAT. So in your case, I think the answer to your original question is yes.

     

     

    Denny
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2008
    I don't think there is a way to apply/disable a NAT from an iRule. However, the behavior you're seeing is expected assuming the destination IP matches a VIP with SNAT enabled:

     

     

    SOL9039: A virtual server with a SNAT pool takes precedence over matching the NAT (Click here)

     

     

    I try to avoid NATs altogether. VIPs and SNATs should give you better functionality, including more control over which source and destination hosts are able to communicate directly. You can get some ideas on allowing admin access from SOL7229:

     

     

    SOL7229: Methods of gaining administrative access to nodes through the BIG-IP system (Click here)

     

     

    You can take a similar approach for allowing the nodes to access external hosts.

     

     

    Aaron