Forum Discussion

Aubrey_King_278's avatar
Aubrey_King_278
Icon for Nimbostratus rankNimbostratus
Apr 16, 2015

nat / snat question

If outbound traffic leaves a NAT on a firewall behind my LTM (running outbound link load balancing to 5 providers), why must I SNAT it? If I do not SNAT my outbound forwarding VS, all traffic stops. My inbound services seem to function properly (including notoriously difficult return traffic, like IPSEC passthrough to the fw behind the LTM). Why is it that my forwarding VS does not seem to just route the traffic? Why must I SNAT the FW's NAT traffic?

 

The other rub is that if I SNAT it, my return IPSEC traffic dies. There's an iRule for that! ;-)

 

Thanks,

 

Aubrey

 

application delivery
availability
design
LTM

3 Replies

Sort By
  • Aubrey_King_278's avatar
    Aubrey_King_278
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2015
    Can I simply SNAT to the firewall's IP (which is routable from the internet through the LTM) and achieve my result?
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Apr 16, 2015

    Strictly speaking, you only need SNAT when your routing is either broken, or you for any reason (many of which are perfectly rational) do not want to change your routing.

     

    When you SNAT, you are simply guaranteeing that the return traffic will come back through the F5, which may be the only device in your network that knows the correct place to send the traffic.

     

    If you don't SNAT, the target device will choose whatever route it believes is best, and the traffic may wind up in a black hole.

     

    • BinaryCanary_19's avatar
      BinaryCanary_19
      Historic F5 Account
      Apr 16, 2015
      IPSec as the name implies is "IP Security", and is designed to break if the IP address of the parties communicating suddenly changes :) There is an IPSec feature called "NAT Traversal" that assists with this kind of scenario, but it's slightly more complex and perhaps your irule workaround is the wiser choice.