Thursday 25 July 2019

CONFUSION OVER SNAT OBJECTS IN THE F5 LTM GUI (XUI)


Reading the Documentation on SNAT and comparing it to what you see in the GUI is not easy.
Firstly it’s important to know the purpose of SNAT with regard to direction.
Inbound Connections (typically from Internet to the F5) will use the referenced SNAT address to become the new source IP (outbound from the F5) as seen talking to Your Server (or servers). The Source IP address may be affected by the NAT configuration as well or be set to use Automap (use of a Self IP).
Outbound Connections (typically to Internet) will use the referenced SNAT address to become the new source IP (outbound from the F5) as seen talking to an Internet Server. The Source IP address may be affected by the NAT configuration as well.
The key to both of the above is we are talking about egress from the F5 and a change to the source IP only.
Outbound Connections to an Internet Server already have a destination – this remains unchanged – i.e. there is no configuration in the F5 LTM for this – the packets just pass through. However the Source IP may change to a different Source IP because of the SNAT or NAT entry.
So the key however you describe it is SNAT affects the Source IP only.
Now where do you go to create the SNAT….
The GUI has 3 tabs that reference the word SNAT:
  • SNAT List
  • SNAT Pool
  • SNAT Translation List
SNAT Pool

This is the easiest to create and understand. Its typically a list of  Load balanced IP Addresses – that once created is referred by some Virtual Server object – for Inbound purposes.
If you create a SNAT Pool object – it appears listed below on the SNAT Pool Page – but the IP addresses also appear on the SNAT Translation List page (confusing but useful!). The SNAT Translation page can adjust timers and connection limits for the SNAT Pool entries.
A SNAT Pool Object doesn’t reference anything other than the IP Addresses.
A SNAT Pool cant do anything on its own (unlike a SNAT list) – it needs referencing by either a Virtual Server or a SNAT List.
SNAT List
A SNAT List Object has some configuration that isn’t seen anywhere on the SNAT Pool or SNAT Translation Address Page:
  • Origin
  • VLAN
  • IP Addresses
A SNAT List Object can reference an IP address or SNAT Pool or Automap – effectively it restricts the usage of those objects to specific servers referenced (Origin), VLANs & IP addresses of Client connections. However – the BIGGEST DIFFERENCE is that a SNAT List doesnt needed to be referenced by a Virtual Server to perform a translation. Its kind of like a default SNAT
SNAT Translation List
First – you don’t need to create or edit a Translation Address List Object unless you want to:
  • Name the entries that appear on the Translation Address List Page
  • Adjust any of the following for a particular SNAT Pool Address or SNAT List Address:
    • ARP
    • Connection Limit
    • TCP Idle Timeout
    • UDP Idle Timeout
    • IP Idle Timeout
Secondly – if you create a SNAT List IP address object or SNAT Pool object – they both appear on the SNAT Translation List page (confusing but useful!). If you create a SNAT List Automap object – it doesn’t appear on the SNAT Translation List page
Disabling a SNAT translation object doesn’t appear to have any impact on an associated overlapping SNAT List entry.
Also creating a SNAT Translation List object has no impact unless there is a corresponding SNAT list object or SNAT Pool entry with the same IP Address.



No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...