I'm trying to see the difference between the snat and automap for the Source Address Translation option.
Currently I have traffic coming in to the F5 using automap. What though specifically does that mean? And why wouldn't I use SNAT? All the nodes, (servers in our lan), are not configured to have the F5 as its default gateway. I have a lot of virtual servers configured and I'm not sure how the self-ip plays a role in the nating or snating if at all.
From what I understand (but could be wrong) an external client request is directed to the vip ip (since our firewall nats it there) and the destination IP is that of the vip. The F5 then translates the destination IP to that of the IP of the pool member. Then on the way back out the source is translated to the of the vip. But what about the selfip?
Can someone please explain all this? Thanks!
client connection: external ip -> vip ip
server connection: BIG-IP self ip -> server ip
SNAT is for changing the SOURCE address. Without SNAT, packets from the client arriving at the VIP retain the client's true source address. SNAT is then important if the downstream server knows how to route back to that address directly (not back through the F5). SNAT will change the client source to an address controlled by the F5 to essentially force return traffic back through the proxy.
snat automap uses the egress vlan interface ip. by establishing a snat pool, and attaching, you can control what IP this translates to.
For the Client->F5->Server, consider these scenarios:
Routed, client source address goes to the server. Routes necessary back through BIG-IP on servers or servers gw
Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes, must insert in an application header or possibly in tcp options.
Snat Pool, client source is still managed on BIG-IP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.
Help me understand a little clearer please. Since I have chose Automap is this how my traffic is flowing?:
External IP from client request:220.127.116.11
External IP from client is nated to the vip, the F5 translates the destination address of 10.1.10.5 to that of the node of 192.168.50.50
On the way back out the F5 translates the source ip address of 192.168.50.50 to that of the vip at 10.1.10.5.
I'm still not sure if the self ip is being used in my scenario or at all and if it is how? What also confuses me is that the options I have are one of two, either snat or automap, not Snat Automat as if it's one.
also, you can do:
tcpdump -ni 0.0
and that will show you the flow for client and serverside connections. Of course if you are in a one-armed setup (one vlan), you can just capture on the vlan interface itself.