SNAT’s role in F5 Load Balance
What is SNAT?
SNAT is also known by Secure Network Address Translation (SNAT). It is an object that maps the IP address of the source customer in a request to a translation adress defined on the BIGIP device.
Source network address translation or secure network address translator is what you should do. Technically, secure address translation is correct. However, source address translation is simpler to remember because source address is translated using the snat of any incoming connection. Snat is used in single-arm deployments of bigip devices. It means that the server’s reply to clients will be forwarded by the default gateway to any other device, such as a firewall or router.
In these cases, the snat is useful. The source address of client will be translated into the bigip selfip address. This is not the default behavior for the bigip. In this case, the source translated address ip address will be of subnet of server. Therefore, the response generated by servers will be through bigip devie and even the gateway configuration of the server pointing towards another device such as router or firewall.
A SNAT is composed of three components.
Translation-Options: An IP address (single adress), an Automap, self IP(s), of the Local Traffic Manager, or a SNAT pool (multiple addresses). This is the source address of the customer.
Origin-Options: All addresses (everything coming into the VLAN you specified, or an Address List (specific addresses provided by the client). These are the source addresses for the customer.
VLAN Traffic- Options : All VLANs (every single VLAN), Enabled (only on the VLANs you specify) or Disabled (on all VLANs other than the ones you specify).
SNATs can be global (i.e. Traffic coming through a LTM(r), or they can be associated to a Virtual Server.
Traffic worldwide and SNAT
Outbound Traffic – SNAT solves a common problem by translating the source addresses of many hosts in an internal subnet that is not Internet routable to one external Internet address. Although it’s not exactly the same, it’s similar to how your home router works. Traffic that hits the BIG-IP will be translated to “origin”, which is an “address file” you specify with all hosts or “all addresses” for the specific VLAN. In this case, “Translation” would refer to one address. Traffic is translated back to its origin address when it returns to the BIGIP from the destination.
A simple explanation of what is the SNAT automap
Hopefully, you will gain a better understanding of SNAT’s inner workings after reading this article.
SNAT’s automap feature will change the source address of the communication to that of the self-ip at the exit interface in a particular order. This is to ensure that the communication returns to the load balancer. Asymmetric traffic would result if the destination host routed around the load balancer when communicating with the client. Unless the servers have the Local Traffic Manager, (LTM), as their gateway. I discuss this in the “inline” section below.
Why do I need SNAT?
Simply put, you will need SNAT to use the BIG-IP as the F5 is a stateful Full proxy. Traffic passing through it must return through it or the connection will be broken. This picture shows a common inbound SNAT scenario. The servers are not pointing to the BIG-IP as the GW but to a layer three device – router. Step 5a shows the scenario in which SNAT is turned on at VIP and traffic is sent back the F5 BIGIP that is part the directly connected subnet.