Forum Discussion

Racquel_Mays's avatar
Racquel_Mays
Icon for Employee rankEmployee
Jan 20, 2021

SNAT ingress public to private, snat egress private to public pool

Hello, I have a requirement to SNAT all traffic inbound to the VIP to a private IP (pool), on the same subnet as my internal hosts. That part is simple. However, the egress or return traffic outbound, from the pool member back to the client, must be SNAT'd, once again (requirement), to a pool of public address. 

So, SNAT in, then SNAT out.

It seems as though I would need to SNAT on the HTTP_RESPONSE, back to client. If I am correct, or id there is a better way, please advise.

application delivery
BIG-IP
egress
ingress
irule
iRules
LTM
snat

2 Replies

Sort By
  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    Jan 20, 2021

    Ok, but with SNAT on a VIP return traffic will be picked up in the session table and natted back to the virtual server ip address.

    Why do you want to SNAT the return traffic to pool of public IP's, because that is not how TCP works.

     

    Clients will have a 3way handshake to the virtual server address, once a HTTP GET is send the BIG-IP will make a load balancing decision and perform a 3way handshake (with an IO address from the SNAT pool as source) with the selected pool member (internal host).

    Any traffic between external client and internal host will flow via these two tcp sessions (client side session and server side session).

     

    Or do you have another requirement to use a pool of external IP addresses (maybe for outbound traffic initiated by the internal hosts)

     

    Cheers,

     

    Kees

    • Racquel_Mays's avatar
      Racquel_Mays
      Icon for Employee rankEmployee
      Feb 09, 2021

      Yes, the requirement is that we use a pool of our external IP's. There are specific reason for this setup. I figured it out; created a SNAT List (Global SNAT), configured a snatpool then added it to my SNAT List. Works as expected.

Related Content