Forum Discussion

Sammo_Li_81151's avatar
Sammo_Li_81151
Icon for Nimbostratus rankNimbostratus
Mar 31, 2015

Will there any conflict if the SNAT address same as one of the virtual server?

Hi,

 

I am translating a CSS configuration and there are some service have SNAT address that the same as virtual server IP. For example:

 

ltm virtual /Common/vs_mse1dr-snat { destination /Common/0.0.0.0:0 ip-forward mask any profiles { /Common/fastL4 { } } source 192.168.52.71/32 source-address-translation { pool /Common/MSE1dr-nat type snat } translate-address disabled translate-port disabled vlans { /Common/VLAN61 } vlans-enabled } ltm virtual /Common/vs_mse1dr-vs { destination /Common/192.168.52.71:0 mask 255.255.255.255 pool /Common/mse1dr-vs profiles { /Common/ipother { } } source 0.0.0.0/0 translate-address enabled translate-port enabled }

 

Will there be any conflict?

 

Thanks.

 

2 Replies

  • bhs_114985's avatar
    bhs_114985
    Historic F5 Account

    Hi Sammo,

     

    I wouldn't call it best-practice but you should be ok. When the proxy opens up its server side connection using the virtual address as it's source, it will use a unique source port and tcp connection. client 1.1.1.1:1024 ---> VS 1.1.1.2:80 ---> VS (SNAT) 1.1.1.2:1024 ---> Real Server:port

     

  • Hi Sammo,

     

    using a virtual IP as a SNAT is fine from my perspective.

     

    I.e. I´m using it typically to SNAT outgoing mail.

     

    As the receiver will probably do a reverse lookup it has to match one of the IPs the MX records for the sender domain resolve to. This way you lower the risk to get classified as a spammer.

     

    Inbound mail is handled by virtual servers using the same IP.

     

    As Brad already wrote, the virtual server is using a state table.

     

    I can imagine conflicts with protocol like SIP using UDP as transport with fixed ports for source and destination.

     

    Thanks, Stephan