Using the same IP address for a VIP and a SNAT - yay or nay?

First, thanks for the reply Steve.

 

I'm trying to get to the bottom of that logic on how the LTM will get confused with the connections originated on two different nw segments...

 

The VS defined with "virtual external-VIP" listens on port 80/TCP only. It is presented on an external VLAN interface. Clients connecting to it (Internet originated), have a source port > 1024 (a firewall on the public domain ensures that). This external VS also has "snat automap" which will "hide" the external clients originated IP address to the backend servers.

 

The VS defined with "virtual snat-wcard" listens on all ports but it's only presented on an internal VLAN. The SNAT performed by this VS it's on the same IP with the external VS, but the ports used outbound are always >1024. How do I know this? The servers on the internal VLAN are managed by ourselves as well (i.e we are a closed shop for this traffic - we=the company) and when they need to make an outbound connection (local originated connection to the wild Internet), the IP ports used are between 32768 and 61000 (controlled with /proc/sys/net/ipv4/ip_local_port_range). Also, checked the F5 linux OS and /proc/sys/net/ipv4/ip_local_port_range also shows a range from 32768 to 61000 .

 

So, you are saying here (correct me if wrong), that when a internal-VLAN client makes a request outbound (in this particular config), the F5 after doing the SNAT on the external-VLAN IP, can chose any random port between 1 and 64k ? And this totally bypassing the ip_local_port_range defined in the F5 linux OS? Just curios...