BIG-IP : virtual-server configuration for snat

Question

BIG-IP 11.4.0 Build 2384.0 Final&nbsp;
vip-external-01 is enabled for vlan-external-01 and routes to pool-01 whose members live on vlan-internal-01.  vip-external-01 has snat auto-map enabled.&nbsp;
vip-internal-01 is enabled for vlan-internal-01 and should be chosen as self-ip for traffic routed by vip-external-01 to pool-01&nbsp;
On vip-external-01 , is it also necessary to enable vlan-internal-01 ?&nbsp;
And on vip-internal-01 , is it also necessary to enable vlan-external-01 ?&nbsp;
More generally speaking, how to configure a simple network to support a browser-client request sent to vip and routed to the destination web-server with 
response traveling the reverse path ?&nbsp;

kevin_stewart · Answer

On vip-external-01 , is it also necessary to enable vlan-internal-01 ?&nbsp;

No. Only the ingress VLAN needs to be enabled.&nbsp;

And on vip-internal-01 , is it also necessary to enable vlan-external-01 ?&nbsp;

No. Same reason.&nbsp;

More generally speaking, how to configure a simple network to support browser-client request sent to vip and the routed to destination web-server with response following the reverse path back ?&nbsp;

The simplest answer is a VIP pointing to a pool and an applied SNAT. You can optionally enable/disable specific VLANs to limit ingress traffic, but it's not absolutely required. The SNAT guarantees return routing.&nbsp;

kevin_stewart · Answer

When I create my SNAT Pool, should it consist of one or more Self IPs ?  Is a SNAT Pool just a collection of Self IPs that BIG-IP dynamically selects and assigns as the request's origin IP ? &nbsp;

A SNAT pool should NOT consist of self-IPs. It should rather contain a list of IP addresses (not self-IPs) in the desired subnet. Further, the IPs in the SNAT pool are not actually dynamically selected. Generally, one IP is used until it reaches port exhaustion.&nbsp;

nitass · Answer

the concept is bigip is default deny device. to allow traffic passing through bigip, object listener is required. there are 3 object listners (i.e. virtual server, snat and nat). the object listener is listening on ingress vlan. snat is also available under virtual server configuration (i.e. snat automap, snatpool).&nbsp;
sol9038: The order of precedence for local traffic object listeners&nbsp;
http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html&nbsp;
for snat automap, selfip on egress vlan will be selected.&nbsp;
sol7336: The SNAT Automap and self IP address selection&nbsp;
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7336.html&nbsp;

jo_31162 · Answer

Hi all,&nbsp;
I need to configure SNAT pool instead of automap.&nbsp;
With "One Arm" configuration and two different Subnet for VIPs and Servers, which SNAT pool IP/Subnet is better to configure?&nbsp;
Related to VIP Subnet, related to Servers Subnet or whatever?&nbsp;
Thanks in advance&nbsp;
Brgds&nbsp;

Forum Discussion

BIG-IP : virtual-server configuration for snat

4 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Getting Started with BIG-IP Next: Configuring Instance High Availability

F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

BIG-IP vWire Configuration

Use BIG-IP LTM Virtual Server & iRule for an internal "What's My IP" website

BIG-IP Report