VIPS without automap

Hi Sam,

SNAT insures that all calls made on behalf of the Client are routed back to the F5 for properly delivery back to the Client. It prevents any calls from back end servers or services from making a call directly back to the Client (since the Client wouldn't be expecting to hear from anyone except who it initiated a connection to (Prevents Broken Routes)).

Does the Server(s) live on a Subnet owned by the F5? Does the Application(s) make any calls to other servers or services?

Hi Sam,

SNAT insures that all calls made on behalf of the Client are routed back to the F5 for properly delivery back to the Client. It prevents any calls from back end servers or services from making a call directly back to the Client (since the Client wouldn't be expecting to hear from anyone except who it initiated a connection to (Prevents Broken Routes)).

Does the Server(s) live on a Subnet owned by the F5? Does the Application(s) make any calls to other servers or services?

If you dont want to use automap... here is an irule that does an "automap-like" response but you choose the IP for the snatpool.

when CLIENT_ACCEPTED {
 if { [matchclass [IP::client_addr] equals datagroup_Hosts]} {
    snatpool snatpool_SNAT
    }
}

If you dont want to use automap... here is an irule that does an "automap-like" response but you choose the IP for the snatpool.

when CLIENT_ACCEPTED {
 if { [matchclass [IP::client_addr] equals datagroup_Hosts]} {
    snatpool snatpool_SNAT
    }
}

The whole idea behind SNAT and automap (a form of SNAT) is to force return routing through the BIG-IP. As Michael stated, the default action for a standard virtual server is to not translate te client's source address. This means that, by default, the request arriving at the server behind the F5 will have the client's true source address. If the server knows how to route back to that client that doesn't involve going back through the F5, then it will bypass it. In most cases this will break the transaction because the client will receive a response from an address that it never sent a request to (the server's source address). SNAT changes the source address to something controlled by the F5 so that the server will natively respond back to that IP. The down side of that, of course, is that the server does not see the client's real IP address. You then have a few options:

1. Make the servers use the F5 as their default gateway. Ultimately you have to force the return traffic back through the F5.

    

2. Inject the client's IP into a header or packet. This method is entirely dependent on the protocol you're passing.

    

Let's first validate that traffic is in fact returning to the F5. Do you see the server sending the traffic back to the F5? Or more important, do you see the returning traffic coming to the F5?

yes i did a tcpdump and saw the server responding back to the f5

If your pool members are linux, you do have another option. With a little assist from iproute2 and iptables, you set the bigip as a conditional gateway via layer 2. See the writeup here:

https://devcentral.f5.com/codeshare/kill-snat-automap

Known to work on 11.x or better but I see no reason why it wouldn't run on older versions. The required shell script is supplied with the writeup.