Forum Discussion

Anthony_Pineda's avatar
Anthony_Pineda
Icon for Nimbostratus rankNimbostratus
Nov 20, 2014

SNAT automap

A colleague of mine has created a SNAT below ltm snat def-automap { automap origins { 0.0.0.0/0 { } } } He says that is all that is needed in order to ensure that all the virtual servers (VS) on this LTM will be SNATed to the egress self-IP. Is this true? The servers behind the VS point to a router as their default gateway. I have always gone inside every VS and chosen SNAT and Automap to do this. Thanks!

 

application delivery
deployment
LTM

9 Replies

Sort By
  • Riley_Schuit_82's avatar
    Riley_Schuit_82
    Historic F5 Account
    Nov 20, 2014

    Yes, that is true. It's essentially a global SNAT that will apply to all traffic destine for virtual servers. This is probably fine for simple setups but there are many applications that do not have a similar functionality as x-forward-for to find the source address after it's SNAT'd.

     

    • Anthony_Pineda's avatar
      Anthony_Pineda
      Icon for Nimbostratus rankNimbostratus
      Nov 20, 2014
      So once I have this in place I can leave SNAT inside the virtual server as None and I would still see incoming traffic as coming from the LTM self-IP?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 23, 2014

    So once I have this in place I can leave SNAT inside the virtual server as None and I would still see incoming traffic as coming from the LTM self-IP?

     

    yes

     

    anyway, i prefer snat setting under virtual server to global snat because it is more granular (i.e. it is applied to traffic to virtual server only).

     

    • Anthony_Pineda's avatar
      Anthony_Pineda
      Icon for Nimbostratus rankNimbostratus
      Aug 06, 2015
      I tested this in the lab with a setting of None on the VS. Without specifying Automap within the VS configuration, the server still sees the original IP client (None setting) despite the presence of a global SNAT automap object.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 23, 2014

    So once I have this in place I can leave SNAT inside the virtual server as None and I would still see incoming traffic as coming from the LTM self-IP?

     

    yes

     

    anyway, i prefer snat setting under virtual server to global snat because it is more granular (i.e. it is applied to traffic to virtual server only).

     

    • Anthony_Pineda's avatar
      Anthony_Pineda
      Icon for Nimbostratus rankNimbostratus
      Aug 06, 2015
      I tested this in the lab with a setting of None on the VS. Without specifying Automap within the VS configuration, the server still sees the original IP client (None setting) despite the presence of a global SNAT automap object.
  • dragonflymr's avatar
    dragonflymr
    Icon for Cirrostratus rankCirrostratus
    Feb 10, 2015

    Hi,

     

    Am I wrong that it will open LTM to any traffic directed to any of self IP's? If SNAT object with Automap and All Address is set and All Vlans as well selected then it will be possible to reach any servers in internal from external and vice versa? For example any computer in internal wit DG set to internal VLAN selfIP will be able to reach servers in external vlan, and any computer in external with DG set to external selfIP can reach servers in internal. DG is even not necessary to be set to selfIPs if static route will be created on computer. At least that is result of test I did today. So SNAT object by itself will be routing traffic via LTM even when there is no VS defined.

     

    Piotr