Forum Discussion

kannankris_1363's avatar
kannankris_1363
Icon for Nimbostratus rankNimbostratus
Oct 24, 2013

Forward Proxy Setup is Taking Precedence Over NAT

Hi All,

 

I need a help from you guys(F5 Guru's) on one of the issue which I have being working for long time(may be 5 months).

 

In my environment we are using Performance layer 4 VS(Forward Proxy Setup) for PATTing(Outbound internet connection) and Nating for Inbound connection. Issue which I am facing is that the Forward Proxy Setup is Taking Precedence Over NAT. Inbound connection(From Internet----->NAT IP) is working fine but outbound connection(from Original IP---------->Internet) is not working as expected. Its always getting patted to the SNAT IP(Cust1_SNAT_Pool-63) which is configured in forward proxy but it supposed to be NATed(Cust1_example-NAT-55). Would be great if some could shed some lights on this issue.

 

Forward Proxy Conf:-

 

ltm virtual Cust1-ForwardProxy { description "Cust 1" destination 0.0.0.0%2378:any mask any pool External_default-gateway profiles { fastL4 { } } snatpool Cust1_SNAT_Pool-63 translate-address disabled translate-port disabled vlans { Cust1.app/vlan2378_Cust1 } vlans-enabled

 

NAT Conf:-

 

ltm nat Cust1_example-NAT-55 { inherited-traffic-group true originating-address x.x.x.x%2378 traffic-group traffic-group-1 translation-address 1.1.1.1

 

design

3 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2013

    Sorry but your statements contradict each other. You state VS+PAT for outbound, NAT for inbound then say you expect NAT for outbound but get PAT. Which is it?

     

  • kannankris_1363's avatar
    kannankris_1363
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2013

    Thanks for your response!!

     

    Let me explain you with an example.

     

    10.2.1.0/24 is the customer subnet which is behind LTM.

     

    Forward Proxy(PAT):- VS Type:-Performance Layer 2 SNAP Pool IP-->1.1.1.2

     

    NAT Conf:- Origin IP NAT IP 10.2.1.24---->1.1.1.1

     

    Whenever I initiated a traffic from 10.2.1.24 it is getting PATed to SNAT IP but it supposed to use NATed which is not happening for me. PAT is taking Precedence Over NAT. Inbound connection from internet towards NAT IP is working as excepted. Only outbound connection is having issue.

     

    In my environment, Multiple customers are hosted in Same F5 Box. So we are using Route Domain Concept to differentiate each customer subnets. Each customer is having separate route domain and separate VLAN. External VLAN(Public Subnet-1.1.1.X/24) is same for all the customer.

     

    I hope this would answer your question

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 25, 2013

    Ah. Thanks for that, it's clear now. So, SNAT will always take precedence over NAT in this scenario. You have a few options but I'd suggest an iRule would be best, along with a second SNAT Pool with IP 1.1.1.1. The rule would look like this;

    when CLIENT_ACCEPTED {
 if { [IP::addr [IP::client_addr] equals 10.2.1.24] } {
  Select alternative SNAT Pool if this is 10.2.1.24
  snatpool 'name' }
  All other hosts will use the SNAT Pool assigned to the VS (1.1.1.2)
}