SNAT, overlap and precedence

Question

I could not find any information on SNAT and overlapping terms, this is specifically for outgoing traffic from Server(s) behind LTM devices. &nbsp;
I have two segments, one segment has an SNAT definition with two Origins defined, bound to a particular VLAN. The second segment and the Servers within that segment will be decomissioned. However there are two active flows in the legacy segment that will be migrated to the Servers in the new segment. The segment that will be decomissioned has a different SNAT configured and third parties expect connections to come from this address. &nbsp;
I was thinking retain the SNAT definition on the new segment, define forwarding VS's for the destinations of the migrated flows, bind the legacy SNAT to the forwarding VS (destination IP/port).&nbsp;
The functionality I would like to have is that all connections destined for the forwarding VS destinations IPs and ports will take precedence over the generic SNAT on the VLAN, then all other traffic egress through this path will use the generic SNAT or the catchall SNAT?&nbsp;
Will this work as I intend? Or is there a better way to do it?&nbsp;

nitass · Answer

The functionality I would like to have is that all connections destined for the forwarding VS destinations IPs and ports will take precedence over the generic SNAT on the VLAN, then all other traffic egress through this path will use the generic SNAT or the catchall SNAT?

not sure if i understand correctly.
anyway, if virtual server has no snat but there is snat list, traffic matching the virtual server will also be translated according to the snat list.
if you do not want snat list to be applied, there are 3 options; one is to disable snat in irule, second is to disable allow snat in pool (if virtual server has pool) and the last one is to assign snatpool to the virtual server.
e.g.
 virtual server has no snat but there is snat list

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual net192
ltm virtual net192 {
    destination 192.168.206.0:0
    ip-forward
    mask 255.255.255.0
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 9
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat snat101
ltm snat snat101 {
    origins {
        0.0.0.0/0 { }
    }
    translation /Common/172.28.24.101
    vlans {
        internal
    }
    vlans-enabled
}

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:39:00.293960 IP 200.200.200.101 &gt; 192.168.206.178: ICMP echo request, id 63845, seq 1, length 64 in slot1/tmm1 lis=
05:39:00.294022 IP 172.28.24.101 &gt; 192.168.206.178: ICMP echo request, id 63845, seq 1, length 64 out slot1/tmm1 lis=/Common/net192
05:39:00.296797 IP 192.168.206.178 &gt; 172.28.24.101: ICMP echo reply, id 63845, seq 1, length 64 in slot1/tmm1 lis=/Common/net192
05:39:00.296806 IP 192.168.206.178 &gt; 200.200.200.101: ICMP echo reply, id 63845, seq 1, length 64 out slot1/tmm1 lis=/Common/net192

virtual server has snatpool and also there is snat list

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual net192
ltm virtual net192 {
    destination 192.168.206.0:0
    ip-forward
    mask 255.255.255.0
    profiles {
        fastL4 { }
    }
    source 0.0.0.0/0
    source-address-translation {
        pool snatpool102
        type snat
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 9
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snatpool snatpool102
ltm snatpool snatpool102 {
    members {
        172.28.24.102
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat snat101
ltm snat snat101 {
    origins {
        0.0.0.0/0 { }
    }
    translation /Common/172.28.24.101
    vlans {
        internal
    }
    vlans-enabled
}

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:41:54.785017 IP 200.200.200.101 &gt; 192.168.206.178: ICMP echo request, id 65125, seq 1, length 64 in slot1/tmm1 lis=
05:41:54.785091 IP 172.28.24.102 &gt; 192.168.206.178: ICMP echo request, id 65125, seq 1, length 64 out slot1/tmm1 lis=/Common/net192
05:41:54.787933 IP 192.168.206.178 &gt; 172.28.24.102: ICMP echo reply, id 65125, seq 1, length 64 in slot1/tmm1 lis=/Common/net192
05:41:54.787943 IP 192.168.206.178 &gt; 200.200.200.101: ICMP echo reply, id 65125, seq 1, length 64 out slot1/tmm1 lis=/Common/net192

Forum Discussion

SNAT, overlap and precedence

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Overlapped Networks Question

Verifying Local Traffic Policy and iRule Precedence

SNAT IP address logging

Knowledge sharing: Order of precedence for BIG-IP modules, ASM DDOS Protection, Bot Protection

SNAT pool persistence