Forum Discussion

LuisPuma_134788's avatar
LuisPuma_134788
Icon for Altostratus rankAltostratus
Jun 13, 2014

SNAT/NAT does not work. It changes src and dst ports

Hello guys.

 

Just applied an SNAT to translate the whole 10.0.0.0/8 network to a SNAT pool compossed of three Public IPs from three ISPs. It works really fine because any user from the inside net gets one IP for navigation. Great..! But I need a unique server 10.1.x.x/32 to reach the Internet by using another IP different from the SNAT pool. It is just simple I thought when creating the SNAT. But, unfortunately it does not work because the BIG IP changes the ports and there is the IP translation, but no real traffic (payload). I also tried with a NAT, but got the same results.

 

There is the capture. I have completely erased the SNAT IP and partially erased the Private IP and the destination.

 

 

Thanks!

 

4 Replies

  • Can you provide both the SNAT pool configs? This is how I would do copy the config to a note pad and then do a find replace and sanitize the ip's use dummy ones. So what you are saying is first pool works fine and the 2nd SNAT pool does not? If bigip changes ports it would store it in its routing table and will change it back unless I am missing something here.

     

  • Hi, may be it don't work because of ip address overlaping. Try to exclude 10.1.x.x/32 from 10.0.0.0/8

     

  • Can you show us the CLI output of the SNAT configurations please? The most specific SNAT should be used.

     

    You mean only the source port changes right?

     

  • Hello friends,

    I send the configuration of the SNAT lists and SNAT pools. Besides changing the ports, the F5 is not matching the more specific SNAT as expected. The f5 is matching the 10.1.190.20 with one IP of the global SNAT.

    [root@ns2:Active:Changes Pending] ~  tmsh list /ltm SNAT
    ltm snat SNAT_Network10 {
        origins {
            10.0.0.0/8 { }
     }
        snatpool /Common/pool_SNAT_Network10
    }
    ltm snat snat-vpn-ipsec {
     origins {
        10.1.190.20/32 { }
    }
    translation /Common/200.200.200.30
    
    ltm snatpool pool_SNAT_Red10 {
        members {
            100.100.100.20
            200.200.200.20
            250.250.250.20