Forum Discussion

crengifo_232216's avatar
crengifo_232216
Icon for Nimbostratus rankNimbostratus
Apr 26, 2017
Solved

SNAT using Proxy SSL

Hi,

 

I am planning to create a virtual server, with ssl profiles (client and server) which will use the Proxy SSL feature. I wonder if the virtual server has to use a SNAT pool, automap (which I am planning to use) or none.

 

F5 11.6.1

 

Thanks!

 

auto map
BIG-IP
LTM
proxy
proxy ssl
security
snat
ssl
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Apr 26, 2017

    Its completely depend on Organization Network Setup. SNAT Automap uses the egress vlan interface IP. If you don't have visibility on Next hope setup, I will suggest you to configure SNAT Automap in VIP.

     

    For the Client->F5->Server, consider these scenarios:

     

    Routed, client source address goes to the server. Routes necessary back through F5 BIGIP on servers or servers gw

     

    Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes.

     

    Snat Pool, client source is managed on F5 BIGIP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.

     

3 Replies

Sort By
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Apr 26, 2017

    Its completely depend on Organization Network Setup. SNAT Automap uses the egress vlan interface IP. If you don't have visibility on Next hope setup, I will suggest you to configure SNAT Automap in VIP.

     

    For the Client->F5->Server, consider these scenarios:

     

    Routed, client source address goes to the server. Routes necessary back through F5 BIGIP on servers or servers gw

     

    Snat Automap, client source is managed on BIG-IP, source is translated to self IP on egress interface heading toward servers. For servers needing source IP for reporting or decision processes.

     

    Snat Pool, client source is managed on F5 BIGIP, but source is translated to an IP you configure and attach to the virtual server. I like this option because I can map external IP -> internal IP by application so I know what flows belong to what application on the inside of the organization/dmz as appropriate. If traffic isn't necessary to come back through the BIG-IP, can also snat to the original client's source IP.

     

    • crengifo_232216's avatar
      crengifo_232216
      Icon for Nimbostratus rankNimbostratus
      Apr 26, 2017

      Thanks f5_rock!

       

      I was concerned about if the use of the Proxy SSL feature requires a special setting on the SNAT for the virtual server. So, based on your information, I can use the most affordable to the organization where I work.

       

    • Samir_Jha_52506's avatar
      Samir_Jha_52506
      Icon for Noctilucent rankNoctilucent
      Apr 26, 2017

      Cool. Proxy(ClientSSL/ServerSSL) SSL doesn't require any additional setting. I would suggest you to check existing VIP configuration(if any) in Same F5 device and make new vip config based on that. I mean whether you need SNAT automap option or not. You can enable SNAT automap, not any issue.