Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusVS and NAT precedence
Hi,
I was under impression that when there is NAT and VS defined (both matching incoming packet) then VS always wins. That is the case for SNAT - except when Source Address Translation is set to None on VS and matching SNAT object exists.
But still for SNAT there is full control if SNAT should be used or not (even if SNAT is None on VS, we can set Allow SNAT No on Pool).
Problem is that there seems to be no such control for NAT.
Scenario:
- Network VS Forwarding (IP) type
- Source Address: 10.1.20.252/32
- Destination Address/Mask: 192.168.104.0/24
- Service Port: All
- Source Address Translation: None
- Enabled On: VLAN int
- NAT object
- Origin Address: 10.1.20.252
- NAT Address: 10.128.11.51
- Host sending traffic to 192.168.104.0/24 subnet
- Host IP: 10.1.20.252 - matching both NAT Origin Address and VS Source Address
- Def GW: BIG-IP Self IP on VLAN int
Result:
All traffic leaving BIG-IP on VLAN ext has src IP NATed to 10.128.11.51 (NAT Address).
What's more, looking and NAT and VS stats it's obvious that traffic is processed by both VS and NAT (same packet count reported on both).
Wonder if it is expected behavior? If so it seems that there is no way to prevent NATing src IP for such configuration - only way is to set NAT object to disabled - seems to be a little drastic solution.
Piotr
natheCirrocumulus
Piotr, haveing re-read The order of precedence for local traffic object listeners and A virtual server with a SNAT pool takes precedence over matching the NAT then i can confirm you are seeing expected behaviour.
In your example the VS wins out as the destination listener is met (not the case for the NAT object). The the NAT is applied as it matches a source listener.
If you don't want to map then you could use SNAT Automap/Pool in the VS to override this NAT object, or not have the NAT in place and revisit the traffic flows for best VS/NAT/SNAT configuration.
Hope this helps,
N