Forum Discussion

kldev_132889's avatar
kldev_132889
Icon for Nimbostratus rankNimbostratus
Sep 03, 2013

Automap SNAT with Multiple VIPs

I want to create two VIPS on our F5 and setup two inbound AutoMaps on each VIP. The automaps would both translate the same specific inbound address to the floating IP associated with the appropriate external interface. Each VIP has member servers sitting on separate subnets. And the servers aren't using the floating IP as the route back to this source so I want to NAT it as it comes in. I had tried to do this before but it appeared to translate all traffic coming into the server instead of only translating the specific traffic listed in the SNAT list. I wanted to make sure this was possible before I attempted this again as per everything I have seen on most sites seem to indicate it is possible.

 

Any feedback or better suggestion would be appreciated.

 

APM
design
security

11 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 03, 2013

    Sorry, it's not quite clear, do you want to SNAT all traffic passing through the VIPs or only specific client addresses passing through the VIPs?

     

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 04, 2013

    i understand you have snat list with specific source address, haven't you?

     

    have you tried to set snat none under virtual server configuration? when traffic hits the virtual server, since the virtual server's snat is set to none, snat list would apply to the traffic.

     

    • kldev_132889's avatar
      kldev_132889
      Icon for Nimbostratus rankNimbostratus
      Sep 04, 2013
      I want to SNAT only specific traffic passing through the VIP. I was thinking I needed to set up a SNAT list with the translation set to Automap and apply that to each VIP. However, per what your saying I think I am making this to difficult and if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 04, 2013

    i understand you have snat list with specific source address, haven't you?

     

    have you tried to set snat none under virtual server configuration? when traffic hits the virtual server, since the virtual server's snat is set to none, snat list would apply to the traffic.

     

    • kldev_132889's avatar
      kldev_132889
      Icon for Nimbostratus rankNimbostratus
      Sep 04, 2013
      I want to SNAT only specific traffic passing through the VIP. I was thinking I needed to set up a SNAT list with the translation set to Automap and apply that to each VIP. However, per what your saying I think I am making this to difficult and if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 04, 2013

    if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?

     

    you mean snat list with specific origin address and translation automap and snat none under virtual server configuration, don't you? yes, i think so.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 04, 2013

    if I just set up the SNAT list instead of what I was trying to do, all of my specific source addresses coming in through each VIP will be translated to the correct floating IP associated with the outside interface it should route out of? And the rest of my addresses will remain un-translated that are not specified in the address list?

     

    you mean snat list with specific origin address and translation automap and snat none under virtual server configuration, don't you? yes, i think so.

     

  • marco_octavian_'s avatar
    marco_octavian_
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2013

    Another option if you want to use a specific snat for specific ip addresses and then do NOT use snat for any other traffic then perhaps the following irule and link can get you there as well. https://devcentral.f5.com/questions/snat-based-on-incoming-ip

    You can remove the logging section once you have confirmed it is working for.

    when CLIENT_ACCEPTED {
  switch [IP::client_addr] {
    "172.16.21.201" { snat 172.16.31.201 }
    "10.10.10.11" { snat 192.168.42.11 }
    "10.10.10.12" { snat 192.168.42.12 }
    "10.10.10.13" { snat 192.168.42.13 }
    default { snat none }
  }
}

when SERVER_CONNECTED {
  log local0. "client [IP::client_addr]:[TCP::client_port] snat [IP::local_addr]:[TCP::local_port] server [IP::server_addr]:[TCP::server_port]"
}