When the default route on the servers does not route responses back through the BIG-IP system, you can create a secure network address translation (SNAT). A secure network address translation (SNAT) ensures that server responses always return through the BIG-IP® system. You can also use a SNAT to hide the source addresses of server-initiated requests from external devices.
For inbound connections from a client, a SNAT translates the source IP address within packets to a BIG-IP system IP address that you or the BIG-IP system defines. The destination node then uses that new source address as its destination address when responding to the request.
For outbound connections, SNATs ensure that the internal IP address of the server node remains hidden to an external host when the server initiates a connection to that host.
If you want the system to choose a SNAT translation address for you, you can select the Auto Map feature. If you prefer to define your own address, you can create a SNAT pool and assign it to the virtual server.
A SNAT is similar to a NAT, except for some key differences listed in this table.
|You can map only one original address to a translation address.||You can map multiple original addresses to a single translation address. You can even map all node addresses on your network to a single public IP address, in a single SNAT object.|
|All ports on the internal node are open.||By default, SNATs support UDP and TCP only. This makes a SNAT more secure than a NAT.|
|Local Traffic Manager™ does not track NAT connections.||Local Traffic Manager tracks SNAT connections, which, in turn, allows SNATs and virtual servers to use the same public IP addresses.|
|You must explicitly enable a NAT on the internal VLAN where the internal node’s traffic arrives on the BIG-IP® system.||By default, a SNAT that you create is enabled on all VLANs.|
In the most common client-server network configuration, the Local Traffic Manager™ standard address translation mechanism ensures that server responses return to the client through the BIG-IP® system, thereby reversing the original destination IP address translation. This typical network configuration is as follows:
However, there are atypical network configurations in which the standard BIG-IP system address translation sequence by itself does not ensure that server responses use the required return path. Examples of these atypical configurations are:
This image shows a typical problem for client-initiated connections when Local Traffic Manager is not defined as the server’s default gateway, and you have not configured a SNAT for inbound traffic.
Client rejects response due to non-matching destination and source IP addresses
To prevent these problems, you can configure an inbound SNAT. An inbound SNAT translates the original client source IP address in a request to a BIG-IP system virtual server or BIG-IP system self IP address, forcing subsequent server response to return directly to Local Traffic Manager. When an inbound SNAT is configured on the system, Local Traffic Manager translates not only the destination IP address in the request (using the standard address translation mechanism), but also the source IP address in the request (using a SNAT).
The figure below shows that by configuring a SNAT, you ensure that the response returns through the BIG-IP system instead of through the default gateway, thus ensuring that the client can accept the server response.
Client accepts response due to matching destination and source IP addresses
When an internal server initiates a connection to an external host, a SNAT can translate the private, source IP addresses of one or more servers within the outgoing connection to a single, publicly-routable address. The external destination host can then use this public address as a destination address when sending the response. In this way, the private class IP addresses of the internal nodes remain hidden from the external host.
More specifically, a SNAT for an outgoing connection works in the following way:
In this example of an outgoing SNAT, Local Traffic Manager causes three internal nodes, with the IP addresses 172.16.20.4, 172.16.20.5, and 172.16.20.6, to advertise the public IP address 126.96.36.199 as the source IP address in the three outgoing connections.
Sample SNAT for multiple outgoing connections
When you create a SNAT, you map an original IP address to a translation address in one of several ways, depending on your needs:
The types of SNATs you can create are:
You can specify the translation addresses that you want to map to your original IP addresses. A translation address can be in these three forms:
You can specify the original IP addresses that you want to map to translation addresses. You can specify one IP address or multiple IP addresses.
You can specify one or more VLANs to which you want the SNAT to apply.