Forum Discussion

funkdaddy_31014's avatar
funkdaddy_31014
Icon for Nimbostratus rankNimbostratus
Apr 30, 2015

Conditional SNAT for outbound traffic

Hello,

 

We have a cluster of web servers serving multiple VIPs , which occasionally need to make outbound requests to the Internet. For this purpose we use a SNAT over an external IP on the BigIP. We now have a case where these same web servers (on 10.2.x.x net) need to make requests to a different segment (10.20.x.x) on our internal network. The servers have their default routes pointing to the BigIP, and we do not wish to add a route to the destination network (10.20.x.x) on all the web servers. I added the 10.20.x.x route to the to the BigIP, but the SNAT overrides this so the requests go out through the external IP and therefore cannot get to the 10.20.x.x net.

 

Is there a way to make a SNAT dependent on the destination network? Or perhaps a better way to do this?

 

Thanks, Funkdaddy

 

APM
application delivery
design
LTM
security

3 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Apr 30, 2015

    How about a forwarding IP vs to the 10.20.x.x network and then use snat automap on this vs to return traffic back to the bigip? Dependent on version you can restrict this further and configure the Source too on the vs to be the web servers on the 10.2.x.x lan.

     

    Hope that would work.

     

    N

     

  • funkdaddy_31014's avatar
    funkdaddy_31014
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2015

    N,

     

    Thanks for your response - I was wondering if IP Forwarding was the solution. So, basically leave my existing (external) SNAT as-is, and just add an IP Fwding VS for the 10.20.x.x network, correct?

     

    Curious, why is SNAT Automap necessary in this scenario?

     

    Thanks, Funkdaddy

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Apr 30, 2015
      Yes. Snat automap is only required if the 10.20.x.x servers have a default gw other than the bigip. Might not be required.