Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

snat vs automap, whats the difference?

I'm trying to see the difference between the snat and automap for the Source Address Translation option.

Currently I have traffic coming in to the F5 using automap. What though specifically does that mean? And why wouldn't I use SNAT? All the nodes, (servers in our lan), are not configured to have the F5 as its default gateway. I have a lot of virtual servers configured and I'm not sure how the self-ip plays a role in the nating or snating if at all.

From what I understand (but could be wrong) an external client request is directed to the vip ip (since our firewall nats it there) and the destination IP is that of the vip. The F5 then translates the destination IP to that of the IP of the pool member. Then on the way back out the source is translated to the of the vip. But what about the selfip?

Can someone please explain all this? Thanks!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

client connection: external ip -> vip ip

server connection: BIG-IP self ip -> server ip

1
Comments on this Answer
Comment made 31-May-2016 by a.basharat 294
JRahm, So looking at that, using a single F5 to load balance across several Servers, Do we really need to configure a Floating IP Address then? The way you described it is not..., Is it only for HA pairs?
0
Comment made 31-May-2016 by Vijay 4910
Floating IP is usually required for HA. You don't need it for single F5.
0
Comment made 1 month ago by Adriano Bezerra 129

SNAT is for changing the SOURCE address. Without SNAT, packets from the client arriving at the VIP retain the client's true source address. SNAT is then important if the downstream server knows how to route back to that address directly (not back through the F5). SNAT will change the client source to an address controlled by the F5 to essentially force return traffic back through the proxy.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

snat automap uses the egress vlan interface ip. by establishing a snat pool, and attaching, you can control what IP this translates to.

For the Client->F5->Server, consider these scenarios:

  1. Routed, client source address goes to the server. Routes necessary back through BIG-IP on servers or servers gw

  2. Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes, must insert in an application header or possibly in tcp options.

  3. Snat Pool, client source is still managed on BIG-IP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks JRahm, Help me understand a little clearer please. Since I have chose Automap is this how my traffic is flowing?: Example: External IP from client request:11.11.11.11 VIP:10.1.10.5 Node 192.168.50.50

External IP from client is nated to the vip, the F5 translates the destination address of 10.1.10.5 to that of the node of 192.168.50.50 On the way back out the F5 translates the source ip address of 192.168.50.50 to that of the vip at 10.1.10.5.

or

I'm still not sure if the self ip is being used in my scenario or at all and if it is how? What also confuses me is that the options I have are one of two, either snat or automap, not Snat Automat as if it's one.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

also, you can do:

tcpdump -ni 0.0

and that will show you the flow for client and serverside connections. Of course if you are in a one-armed setup (one vlan), you can just capture on the vlan interface itself.

0