Forum Discussion

leosilvapaiola_'s avatar
leosilvapaiola_
Icon for Nimbostratus rankNimbostratus
Jan 04, 2019

Configuration: VS + SNAT

Hi community!!

 

I have a configuration issue, where I have an application running in several ports (eight or nine from 77XX up).

 

And in the same, time I have to give Internet access to that server for multiple purposes.

 

Now, for the Internet access I have no problems, I created a SNAT object and the server is able to go out.

 

In the other hand, when I try to publish the application I have some troubles.

 

First I tried with a SNAT object (different direction than the previous one) - didn't worked - I don't know if I configured properly.

 

I tried with a Standard Virtual Server, listening for "all ports" - didn't worked.

 

I tried with a Forwarding Virtual Server, listening for "all ports" - didn't worked.

 

The fact is, that for that particular application we do not care if we process traffic via full proxy or forward the traffic as it comes, actually if we translate it to a Firewall language, we like to have a DMZ type of approach with it.

 

The thing is that I don't know if the SNAT object (internet access) is interfering with any virtual server publishing the application. Or if we have to have 2 SNAT objects, one for every direction: From Internet to the server and viceversa.

 

Can someone point me in the right direction?

 

Here is the SNAT object that is actually working (from inside to the Internet). I think that an opposite direction SNAT would do the trick but I'm not sure how to configure it.

 

 

1 Reply

  • It looks as if your SNAT configuration would only work for internal clients trying to make a connection outbound. The SNAT listener created seems to only be listening for internal IPs and thus any connections from external IPs would have no translation. My suggestion would be to create a SNAT object and configure it to listen for all IP addresses but limit it to the Internet facing vlan. This way it will activate whenever a connection comes from outbound since connections starting within the network seem to be working properly. Then configure to SNAT to a translation address in the same network as your server. This should allow proper communication between your server and an external client.

     

    SNAT can be configured a few different ways on the F5 device. The most common way is to have a self-ip assigned in each network you wish to communicate with and then configure the virtual server to use SNAT Automap(or SNAT pool which is only necessary if you app exceeds 64,000 concurrent connections), which automatically configures SNATing with the self-ips as the addresses to be used. In your case, you would have a self-ip on your Internet facing network and a self-ip on your internal network. Any traffic through a VS configured this way would SNAT both to and from the servers automatically. This is the way I would suggest you configure your F5 as it simplifies the process and uses a predictable IP address to send data.

     

    If you have any questions on either solution, I am sure I can help.