Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SNAT/NAT and Outbound ISP Load Balancing

We are running short on public IPs, and it looks as if our current configuration could be tweaked to free up an address. Our configuration was setup by an F5 partner, and I have been reading and trying to understand how it could be adjusted. We have 2 ISPs and are using the Big-IP to load balance the connections. It was our desire to have outbound traffic come from a single address under each ISP, as we have some partners that want to filter us that way. We also needed for some specific devices to go out through one ISP or the other using a specific address.

The F5 partner set us up using an "intelligent SNAT", as I understand it described in the documentation. There is an LTM pool that contains the gateways for the 2 ISPs. There are 2 SNAT pools, one for each ISP, that contains the desired outbound address. There are 3 virtual servers (1 HTTP, 1 FTP, 1 all ports) that utilize this pool as a resource and have an iRule associated. The iRule does some evaluation of the source ISP and then chooses a SNAT pool to use.

I basically understand how this is all working, but based on the documentation I have read, it looks like I could maybe recover an address and simplify things. To that end, I am wondering if anyone could advise if the following is feasible. There is a floating address for each ISP. It is my understanding that, as a default, this is the IP that would be used if SNAT'ing was set to automap. If I changed that and got rid of the iRule, it seems that outbound traffic would go out using the desired address(es). I would still have a couple of things that need to go out over a different IP (for example, outbound SMTP). I was thinking I could setup a NAT for each one of those things. Would that work?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Bill,

Yes that would work. Can you post the vs configurations here? So we can help you redesign.

Cheers,

Kees

0
Comments on this Answer
Comment made 2 months ago by Bill Mayo 63

Thanks for the response. I think this is what you are asking to see.

ltm virtual /Common/Proxy_Outbound_Traffic {
    description "Outbond Proxy Traffic"
    destination /Common/0.0.0.0:80
    ip-protocol tcp
    mask any
    persist {
        /Common/dest_addr {
            default yes
        }
    }
    pool /Common/isp_default_gw_pool
    profiles {
        /Common/fastL4 { }
        /Common/http { }
        /Common/stats { }
    }
    rules {
        /Common/ISP_Selective_SNAT_V10
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port enabled
    vlans {
        /Common/f5-to-asa-v-500
    }
    vlans-enabled
}
ltm virtual /Common/Proxy_Outbound_Traffic_HTTPS {
    description "Proxy_Outbound_Traffic HTTPS"
    destination /Common/0.0.0.0:443
    ip-protocol tcp
    mask any
    persist {
        /Common/dest_addr {
            default yes
        }
    }
    pool /Common/isp_default_gw_pool
    profiles {
        /Common/fastL4 { }
        /Common/stats { }
    }
    rules {
        /Common/ISP_Selective_SNAT_V10
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port enabled
    vlans {
        /Common/f5-to-asa-v-500
    }
    vlans-enabled
}
ltm virtual /Common/outbound_FTP {
    description "outbound FTP"
    destination /Common/0.0.0.0:21
    ip-protocol tcp
    mask any
    persist {
        /Common/source_addr {
            default yes
        }
    }
    pool /Common/isp_default_gw_pool
    profiles {
        /Common/ftp { }
        /Common/tcp { }
    }
    rules {
        /Common/ISP_Selective_SNAT_V10
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port enabled
    vlans {
        /Common/f5-to-asa-v-500
    }
    vlans-enabled
}
ltm virtual /Common/outbound_inet_traffic_vs {
    description "Outbound Traffic Toward the Internet"
    destination /Common/0.0.0.0:0
    mask any
    persist {
        /Common/dest_addr {
            default yes
        }
    }
    pool /Common/isp_default_gw_pool
    profiles {
        /Common/fastL4 { }
    }
    rules {
        /Common/ISP_Selective_SNAT_V10
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/f5-to-asa-v-500
    }
    vlans-enabled
}
ltm virtual-address /Common/0.0.0.0 {
    address any
    arp disabled
    icmp-echo disabled
    mask any
    traffic-group /Common/traffic-group-1
}
0