How to configure SNAT to use a Virtual Server as source IP?

Question

Hello,&nbsp;
I'm pretty new in F5 configuration. I read quite some F5 documentation and several posting on SNAT but I couldn't figure out how to configure the F5 to route traffic (stateful) from my internal network (192.168.28.0/29 vlan 28) towards my external network (10.44.36.120/29 untagged).&nbsp;
On the internal network side the F5 has 192.168.28.6 as Self-IP and on the external network the F5 has a 10.44.36.123 as Virtual Server IP&nbsp;
I managed to configure inbound HTTP traffic (imcoming at 10.44.36.123) to balance over 192.168.28.1 - 4&nbsp;
Now I would like to configure outbound traffic (stateful), port 2900 to an external node with IP 10.44.36.122.&nbsp;
I hope someone is able to help me to get further.
You help is very much appreciated.&nbsp;

nathe · Answer

A Host IP forwarding virtual server should help you here. &nbsp;
See http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html&nbsp;
N&nbsp;

m_radstake_1687 · Answer

Hi Nathan,&nbsp;
I've tried your proposed solution but I can't get it working:&nbsp;
ltm virtual /Common/VSSMSC {
    destination /Common/10.44.36.122:0
    ip-forward
    mask 255.255.255.255
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/vlan28
    }
    vlans-enabled
}&nbsp;
I made a tcpdump-trace in the F5 and see the traffic arriving at the Self-IP 192.169.28.6 (vlan28).
However I don't see the traffic arriving at host 10.44.36.122.&nbsp;
What I'am wondering is how the F5 knows it should use 10.44.36.123 as the source IP when sending the packets to 10.44.36.122 ?&nbsp;

nathe · Answer

.123 looks like a virtual server address, it wont translate to that. In the forwarding VS setup configure a SNAT pool or SNAT automap (automap translates behind egress interface ip on the 10.44.3.120 subnet)

m_radstake_1687 · Answer

I added a snat-pool as below to the virtual server, but still nothing visible at my destination (.122)&nbsp;
}
ltm snat-translation /Common/10.44.36.123 {
    address 10.44.36.123
    inherited-traffic-group true
    traffic-group /Common/traffic-group-1
}
ltm snatpool /Common/SMSCsnatPool {
    members {
        /Common/10.44.36.123
    }&nbsp;
ltm virtual /Common/VSSMSC {
    destination /Common/10.44.36.122:0
    ip-forward
    mask 255.255.255.255
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool /Common/SMSCsnatPool
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/vlan28
    }
    vlans-enabled
}&nbsp;
What I am actually looking for is something similar as shown in Figure 15.3 at the below link:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/LTM_config_guide_943/ltm_snat.html1198808&nbsp;

nathe · Answer

15.3 is referring to a SNAT object, this is also a type of listener, like a virtual server. In a Snat Object you specify the origin address and a translated address. So any traffic reaching the bigip with source "origin address" is allowed to its destination and then is translated behind the "translation" address. May i suggest you don't use the VS address (.123 i think) but rather a new IP address on the 10 subnet. Hope that works for you.

Forum Discussion

How to configure SNAT to use a Virtual Server as source IP?

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

Related Content

Export Virtual Server Configuration in CSV - tmsh cli script

Virtual server and pool configuration disappear...

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

Export GTM/DNS Virtual Servers Configuration in CSV - tmsh cli script