Forum Discussion
NimbostratusWill there any conflict if the SNAT address same as one of the virtual server?
Hi,
I am translating a CSS configuration and there are some service have SNAT address that the same as virtual server IP. For example:
ltm virtual /Common/vs_mse1dr-snat { destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/fastL4 { } } source 192.168.52.71/32 source-address-translation { pool /Common/MSE1dr-nat type snat } translate-address disabled translate-port disabled vlans { /Common/VLAN61 } vlans-enabled } ltm virtual /Common/vs_mse1dr-vs { destination /Common/192.168.52.71:0 mask 255.255.255.255 pool /Common/mse1dr-vs profiles { /Common/ipother { } } source 0.0.0.0/0 translate-address enabled translate-port enabled }
Will there be any conflict?
Thanks.
2 Replies
Hi Sammo,
I wouldn't call it best-practice but you should be ok. When the proxy opens up its server side connection using the virtual address as it's source, it will use a unique source port and tcp connection. client 1.1.1.1:1024 ---> VS 1.1.1.2:80 ---> VS (SNAT) 1.1.1.2:1024 ---> Real Server:port
StephanMantheyNacreous
Hi Sammo,
using a virtual IP as a SNAT is fine from my perspective.
I.e. I´m using it typically to SNAT outgoing mail.
As the receiver will probably do a reverse lookup it has to match one of the IPs the MX records for the sender domain resolve to. This way you lower the risk to get classified as a spammer.
Inbound mail is handled by virtual servers using the same IP.
As Brad already wrote, the virtual server is using a state table.
I can imagine conflicts with protocol like SIP using UDP as transport with fixed ports for source and destination.
Thanks, Stephan
