Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

why do we use snat pool list

In my environment.. we are doing snat, In address translation in 11.4 public to private IP address and using address range. and using snat pool list also. where we are using private IP address which is different.

Now not able to understand what is the requirement to use snat pool list?

Difference between snat list and snat pool list in 11.4 version.

Is is required to use both to work? Please help I am new to F5.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

A SNAT List is, like a virtual server, a listener. So, any traffic which traverses the BIG-IP from the configured Origin will get translated to the Translation IP address.

A SNAT Pool is a list of Translation addresses. You'd add this object to a virtual server so any traffic egressing the BIG-IP will be hidden/translated by one of the addresses in the pool (think it's round robin)

Hope this helps,

N

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

what will happen if i configure snat pool only not snat list. Will it work or not.

1
Comments on this Answer
Comment made 20-Jan-2015 by nathan 7337
A snat pool won't do anything unless it's assigned to a virtual server.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We are creating enrty in snat list for 12.10.112.x private range of our servers in address list.

And creating entry in snat pool list for IP 12.10.112.x with a single different subnet Ip address.

Not able to understand requirement of both. Please help.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank Nattan, But not able to understand what is the snat list. is it for inbound traffic or outbbound traffic or for both.

IP address in snat pool list are used for outbound..I think.. Please correct me if I am wrong

0
Comments on this Answer
Comment made 21-Jan-2015 by nathan 7337
Yes, SNAT pool would be for used for egress traffic (outbound). A SNAT list would also be outbound. S stands for Secure as it accepts no inbound connections, as opposed to a NAT which would be both inbound and outbound.
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As Nathan said a SNAT object (objects that appear on the SNAT list) will translate source IP address in packets. When a packets source IP addr matches a SNAT objects origin address list the SNAT will translate that source IP to whatever is listed in the SNATs translation setting. The translation setting has 3 choices: automap, IP addr, and SNAT pool. The translation setting controls whether the SNAT translates the packets source IP to a specific address (IP addr), uses a self-IP (automap), or selects an address form a list of multiple IP addresses (SNAT pool).

SNAT pools do not translate anything on their own, it is simply a list of address that can be used for translation purposes by a SNAT.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi VJ,
the "SNAT list" or "default SNAT" (legacy F5 term, if I remember right) forwards traffic (specified in the "Origin" section (might be VLAN(s) and/or IP adddress(es) / IP address range(s)) independently from a virtual server. (Nathan described it similarily as a listener.)
As a SNAT entity it will replace the original source IP address with the defined SNAT address.
In case there is a virtual server handling the traffic, the default SNAT may apply as well if there are no configuration options in your pool settings or iRules preventing it.
Whenever possible I try to avoid using "SNAT lists" / "default SNATs".
Instead I specify a SNATpool or SNAT AutoMap in the context of a virtual server.
The virtual server might be a network virtual server in mode IP forwarding.
By using virtual servers (sometimes combined with an iRule for selective SNAT operations) you will get much better control and visibility of your traffic.
In case you are using SNAT with pre-defined addresses (applies as well with SNATpools) make sure to assign idle timeouts in the SNAT address section, please.
If you want to SNAT non-TCP/non-UDP traffic (i.e. ICMP) it will be necessary to modify a global setting which can be found in the WebUI: (System >> Configuration : Local Traffic : General [SNAT packet forwarding]).
Or use tmsh instead to enable/disable this feature globally:

tmsh modify sys db snat.anyipprotocol value enable
tmsh modify sys db snat.anyipprotocol value disable

Thanks, Stephan

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you stepphan for your answer!

But did not understand requirement of creating snat list and snat pool for same customer. An entry is created in snat list for 12.10.112.x private subnet range of our servers (10.1.1.0/29) in address list.

And an entry in snat pool list for IP 12.10.112.x with a different IP address (10.0.11.x) in VIP snat pool is called. Not able to understand requirement of both. because when I delete snat list addressed the also it works. is there a real need of configuring both snat list or snat pool. In which case it is required to configure both. Sorry for asking it again but I am very much confused here.

0
Comments on this Answer
Comment made 02-Feb-2015 by nathan 7337
No need for both, depending on your requirements of course. A snat pool is signed to a VIP and will do source address transmission on traffic using the VIP. If u just want to allow traffic through the bigip without a virtual server and to nating then a snat list will help here.
0
Comment made 02-Feb-2015 by Stephan Manthey 3793
Hi vj_singh, there is no need for "SNAT List" object configurations (aka Default SNAT) in most environments. Using a "SNATpool List" object instead (perhaps just with a single address) or just SNAT AutoMap works well in most environments and give you much better control. If you have a SNATpool object defined and apply it via direct mapping on a virtual server or via an iRule it will be fine. No more need for a "SNAT List" configuration. Whenever you configure a "SNAT List" object or "SNATpool List" object a new entry will show up in the "SNAT Translation List". It will show the IP addresses to be used for SNAT purposes and allows you to configure protocol specific timeouts. It is recommended, to modify the default values ("indefinite") to something matching your traffic flow needs. I hope, this answers your question. In another thread (https://devcentral.f5.com/questions/irule-segment-network-no-match) I tried to summarize things as well. Thanks, Stephan
0