NAT object in LC

Question

Hi all,&nbsp;
&nbsp;Im trying to understand why it works sometimes and others doesnt.&nbsp;
&nbsp;I have 3 links in a LC.
&nbsp;A default GW route using a gw_pool in round robin loadbalance mode with the 3 ips of each link.
&nbsp;Defined a VS 0.0.0.0 with that gw_pool too.&nbsp;
&nbsp;I need that one specific server from internal networks goes out with a specific ip address from 1 link only.
&nbsp;I think the same NAT could give me the inbound traffic correctly.&nbsp;&nbsp;
&nbsp;I have done some tests, and for inbound traffic, it wotks perfectly.
&nbsp;I ping the NAT address, and the packets are beeing translated to the origin address correctly.&nbsp;
&nbsp;For outbound traffic, sometimes i could reach the outside, others dont. When i can reach the outside, the NAT is performed correctly, cause i can see the source ip on the internet server.&nbsp;&nbsp;
&nbsp;Any ideas what could be happening ?
&nbsp;How can i troubleshoot this ?&nbsp;
&nbsp;Best Regards,
&nbsp;Bruno Petrónio&nbsp;&nbsp;&nbsp;

chris_miller · Answer

I'd recommend creating an iRule to SNAT your traffic on the way out so you can make sure it uses the proper link... 
  
 I'd do something like this: 
  
 1. Create a gateway pool with that specific link called "gw_pool_x" where x is your link 
 2. Create a SNAT Pool with the NAT address from that link - let's call it "snatpool_x" 
 3. Create an iRule and apply it to the VS.

when CLIENT_ACCEPTED {
  if {[[IP::client_addr] equals x.x.x.x] } {
     pool gw_pool_x 
     snatpool snatpool_x  } }

Something like that should work...

bpetronio_11363 · Answer

Thank You Chris,&nbsp;
&nbsp;From what i have read, i cant use the same ip address on snat and nat simultaneously, and i will need to perform inbound and outbound Adress Translation.&nbsp;
&nbsp;So for outbound i guess it was a good choice but and for inbound ?&nbsp;
&nbsp;Just for clarify, when u mention "3. Create an iRule and apply it to the VS. 3. Create an iRule and apply it to the VS. ", you are refering to VS_Outbound (0.0.0.0), right ?&nbsp;&nbsp;
&nbsp;Best Regards,
&nbsp;Bruno Petrónio&nbsp;

chris_miller · Answer

I am indeed referring to your VS_Outbound. 
&nbsp;  
&nbsp; I'm not sure whether you can have both a NAT and SNAT - I haven't tried it. I know you can have a SNAT with the same address as a Virtual Server though so I would expect you could do it...

cspillane_18296 · Answer

Hello Gents, 
&nbsp;  
&nbsp; I just wanted to clarify that a NAT and SNAT can't share an address - the NAT needs to have a unique address.  The SNAT can however share an address with a Virtual Server/SelfIP or use a seperate address. 
&nbsp;  
&nbsp; I hope this helps :S

chris_miller · Answer

Thanks for the clarification Cspillane!  
&nbsp;  
&nbsp; Bruno - can you help us understand the need for the inbound NAT? Since you can use SNAT with a VS, why not just use VSes instead of NATs?

Forum Discussion

NAT object in LC

6 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

BIG-IP AFM設定例-NAT

OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM

Duplicating BIG-IP Objects

Using shared object with BigIP

OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM