Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Understanding SNAT

Srikar
Altostratus
Altostratus

SNAT pool is configured but source translation is set to None on Virtual Server and there is a pool attached to it which has Allow SNAT as yes? Does translation happens in this case when client sends a request to server? As per my understanding it shouldn’t but I’m seeing source ip from snat pool list for server side connection.

1 ACCEPTED SOLUTION

Yes, if you have such configuration as this is outside the F5 Virtual servers (VIP) configuration and it works for all traffic matching this SNAT object. The idea is if you want to use the F5 devices just as NAT/SNAT devices without load balancing, you use those objects. You read the article below on how this is done:

 

 

https://support.f5.com/csp/article/K47945399

 

 

Please also read this as if you have VIP with snat pool or auto map and NAT and SNAT separate objects the VIP SNAT config takes priority over the NAT and SNAT objects. If the VIP does not do source translation then if there are matching NAT and SNAT objects, they are used as the NAT has higher priority than the SNAT. If there is no NAT object and the VIP does not do translation, then the SNAT is used.

 

 

https://support.f5.com/csp/article/K9038

View solution in original post

4 REPLIES 4

Yes it shouldn't happen if source translation is set to None on the VIP. Having "Allow SNAT" on the pool just means that the pool will accept traffic that is translated by a VIP with source translation enabled.

 

Check if you have SNAT list (one to one ip mapping) enabled under the F5 LTM configuration as F5 may do translation if it is also configured threre not only under the VIP, otherwise it could be a bug and check then the bug tracker ( https://support.f5.com/csp/bug-tracker?sf189923893=1 )

 

 

https://support.f5.com/csp/article/K47945399

 

 

 

This is also helpfull to understand the SNAT/NAT translation order:

 

 

https://support.f5.com/csp/article/K9038

 

 

and

 

 

https://support.f5.com/csp/article/K7820#types

Srikar
Altostratus
Altostratus

Thanks for the response. I see SNAT List defined with Translation set to use SNAT Pool. So, As per my understanding if SNAT list is defined, F5 will do the translation even SNAT set to None on VS. is it correct?

Yes, if you have such configuration as this is outside the F5 Virtual servers (VIP) configuration and it works for all traffic matching this SNAT object. The idea is if you want to use the F5 devices just as NAT/SNAT devices without load balancing, you use those objects. You read the article below on how this is done:

 

 

https://support.f5.com/csp/article/K47945399

 

 

Please also read this as if you have VIP with snat pool or auto map and NAT and SNAT separate objects the VIP SNAT config takes priority over the NAT and SNAT objects. If the VIP does not do source translation then if there are matching NAT and SNAT objects, they are used as the NAT has higher priority than the SNAT. If there is no NAT object and the VIP does not do translation, then the SNAT is used.

 

 

https://support.f5.com/csp/article/K9038

crodriguez
Legacy Employee
Legacy Employee

To add a bit of clarification, when a packet arrives on the BIG-IP system, and the destination IP address in the packet matches both a host virtual server's Destination Address and a NAT's NAT Address, the virtual server is selected over the NAT (assuming the packet also matches the virtual server's other configuration settings, such as Destination Port, Source Address, and Protocol). Once the host virtual server is selected to process the packet though, nothing in the matching NAT's configuration applies to that traffic. However, if the virtual server's Source Address Translation option is set to None and the source IP address in the packet matches a separate SNAT "listener" object's Origin setting, the system will translate the source IP address for the server-side connection using the SNAT's translation settings. Such a SNAT listener object can be configured in the GUI at Local Traffic > Address Translation : SNAT List.