Forum Discussion

Rakeshvela_3309's avatar
Rakeshvela_3309
Icon for Nimbostratus rankNimbostratus
Aug 28, 2017
Solved

NAT in LTM

Hi All,

 

Say there is a Public IP Mapped to Internal IP (say Public IP owned by us)1.1.1.1 ---> 10.1.1.1(As a member). When request from outside hits the VIP 1.1.1.1, the request is sent to destination 10.1.1.1.

 

Question: Say now a new connection is initiated from 10.1.1.1 to Some external IP say 5.5.5.5, will the Source be natted to 1.1.1.1 before sending out?(There is no existing connection, this is a new connection).

 

Do we need to do a SNAT also? Please advise.

 

Thanks

 

application delivery
LTM
  • eben_259100's avatar
    eben_259100
    Aug 28, 2017

    Hi Rakeshvela

     

    From what you have described, 1.1.1.1 is the Post-NAT IP address for F5 Virtual Server IP address 10.1.1.1 right?

     

    For the question you asked, is 10.1.1.1 same as the self-ip for outbound connections? if yes, then outbound traffic will be initiated from this IP (10.1.1.1). if not, the self-ip for your outbound vlan will be used. Outbound connections to resources where F5 does not have a leg(vlan + self-ip) will be forwarded to your default gateway or next-hop ip address if static routes were set on the box. You will need to add this IP address to your internet accessible subnets in your NAT statement.

     

    HTH Regards Eben.

     

7 Replies

Sort By
  • eben_259100's avatar
    eben_259100
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2017

    Hi Rakeshvela

     

    From what you have described, 1.1.1.1 is the Post-NAT IP address for F5 Virtual Server IP address 10.1.1.1 right?

     

    For the question you asked, is 10.1.1.1 same as the self-ip for outbound connections? if yes, then outbound traffic will be initiated from this IP (10.1.1.1). if not, the self-ip for your outbound vlan will be used. Outbound connections to resources where F5 does not have a leg(vlan + self-ip) will be forwarded to your default gateway or next-hop ip address if static routes were set on the box. You will need to add this IP address to your internet accessible subnets in your NAT statement.

     

    HTH Regards Eben.

     

    • Rakeshvela_3309's avatar
      Rakeshvela_3309
      Icon for Nimbostratus rankNimbostratus
      Aug 28, 2017

      Hi Eben,

       

      The scenario is like this

       

      Say From some External IP 130.1.1.1 ----> 1.1.1.1(Coming to say this is my Public IP)

       

      1.1.1.1 ---> has members 192.168.1.1 F5 will have the session table for this and when the return traffic hits F5, it will forward accordingly.

       

      Now, say 192.168.1.1 (Member) ---> 150.3.2.2

       

      Will F5 auto NAT it to 1.1.1.1 before sending out? Please advise.

       

      Thanks

       

    • eben_259100's avatar
      eben_259100
      Icon for Cirrostratus rankCirrostratus
      Aug 28, 2017

      what is the default gateway on 192.168.1.1(member)? 1. if the default gateway points back to F5, then you need to create a forwarding VS for f5 to forward the traffic outbound because it's a default deny box. about NATing, Source address translation is set to None by default. so you might have to use automap or snatpool if neceesary. Also set protocol to all when creating the Forwarding-IP VS. 2. if the default gateway points to another network device other than F5, this will depend on your internet access policy.

       

      HTH

       

  • eben's avatar
    eben
    Icon for Nimbostratus rankNimbostratus
    Aug 28, 2017

    Hi Rakeshvela

     

    From what you have described, 1.1.1.1 is the Post-NAT IP address for F5 Virtual Server IP address 10.1.1.1 right?

     

    For the question you asked, is 10.1.1.1 same as the self-ip for outbound connections? if yes, then outbound traffic will be initiated from this IP (10.1.1.1). if not, the self-ip for your outbound vlan will be used. Outbound connections to resources where F5 does not have a leg(vlan + self-ip) will be forwarded to your default gateway or next-hop ip address if static routes were set on the box. You will need to add this IP address to your internet accessible subnets in your NAT statement.

     

    HTH Regards Eben.

     

    • Rakeshvela_3309's avatar
      Rakeshvela_3309
      Icon for Nimbostratus rankNimbostratus
      Aug 28, 2017

      Hi Eben,

       

      The scenario is like this

       

      Say From some External IP 130.1.1.1 ----> 1.1.1.1(Coming to say this is my Public IP)

       

      1.1.1.1 ---> has members 192.168.1.1 F5 will have the session table for this and when the return traffic hits F5, it will forward accordingly.

       

      Now, say 192.168.1.1 (Member) ---> 150.3.2.2

       

      Will F5 auto NAT it to 1.1.1.1 before sending out? Please advise.

       

      Thanks

       

    • eben's avatar
      eben
      Icon for Nimbostratus rankNimbostratus
      Aug 28, 2017

      what is the default gateway on 192.168.1.1(member)? 1. if the default gateway points back to F5, then you need to create a forwarding VS for f5 to forward the traffic outbound because it's a default deny box. about NATing, Source address translation is set to None by default. so you might have to use automap or snatpool if neceesary. Also set protocol to all when creating the Forwarding-IP VS. 2. if the default gateway points to another network device other than F5, this will depend on your internet access policy.

       

      HTH