Forum Discussion

SAP's avatar
SAP
Icon for Nimbostratus rankNimbostratus
Oct 06, 2018

should client see the SNAT IP

Hi All,

 

I need to understand here do my client see the SNAT IP during the TCP connection / data flows ?

 

As i see in one of the client application screenshots they are able to see the self IP which is communicating to back end nodes.

 

I suppose the client should only see the VIP IP not the SNAT IP. If the client will be able to see SNAT IP isn't that a security hole ?

 

Any explanations will be much appreciated.

 

Thanks Soumen Abhishek

 

3 Replies

  • Hey Soumen

    Can you please explain a bit further regarding the different traffic flows? When is the client's seeing the SNAT address?

    Since the BIG-IP is a Full Proxy, there will be one TCP connection between the Client and the BIG-IP and one TCP connection between the BIG-IP and the Server.

    You are correct that when a client communicates with the VIP, it will only see traffic between itself and the VIP. And on the server side, if you have SNAT enabled on your virtual server, the server side connection will see the SNAT IP address.

    To give you an example, here is the traffic flows of my client, communicating with the BIG-IP and the BIG-IP with the server. The .33 addresss is my floating self-IP address on that VLAN:

    [root@bigipcore02:Active:Changes Pending] config  tmsh show sys connection cs-server-addr 10.10.15.245
    Sys::Connections
    10.10.10.111:42012  10.10.15.245:80  10.10.15.33:42012  10.10.15.10:80  tcp  25  (tmm: 0)  none
    

    Is it possible for you to share the printscreen of the traffic?

  • Hi,

    If you want F5 use VIP IP to communicated with the the client use following iRule. Otherwise, the client will see self ip of F5.

     when CLIENT_ACCEPTED {
     snat [IP::local_addr]
     }
    
    • SAP's avatar
      SAP
      Icon for Nimbostratus rankNimbostratus

      Hi Volodh,

       

      Is that default behaviour ?

       

      Thanks