Applies To:

Show Versions Show Versions

Manual Chapter: Configuring SNATs and NATs
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

19 
A virtual server configured on a BIG-IP® Link Controller system translates the destination IP address of an incoming packet to another destination IP address, for the purpose of load balancing that packet. Normally, the source IP address remains unchanged.
As an option, you can also create a secure network address translation (SNAT). A SNAT is an object that maps an original client IP address (that is, a source IP address) to a translation address that you choose. Thus, a SNAT causes the BIG-IP system to translate the source IP address of an incoming packet to an address that you specify. The purpose of a SNAT is simple: to ensure that the target server sends its response back through the BIG-IP system rather than to the original client IP address directly.
To create a SNAT, you either use the Configuration utility or write an iRule, depending on the type of SNAT you are creating. For information on iRulesTM, see the F5 Networks DevCentral web site http://devcentral.f5.com, or Chapter 18, Writing iRules.
Tip: Because the purpose of a SNAT is simply to change the source IP address of incoming packets, the term secure network address translation is a slight misnomer. A better way to define the SNAT acronym would be source network address translation, or source NAT.
1.
The BIG-IP system receives a packet from an original client IP address and checks to see if that source address is defined in a SNAT.
2.
If the clients IP address is defined in a SNAT, the BIG-IP system changes that source IP address to the translation address defined in the SNAT.
3.
The BIG-IP system then sends the client request, with the SNAT translation address as the source address, to the target server.
The end result of this process is that the target server has a routable IP address for the client that the server can specify as the destination IP address in its response.
When you create a SNAT, you map an original IP address to a translation address in one of several ways, depending on your needs. For example, you can explicitly map an original IP address to a single translation address, or you can create a pool of translation addresses and map the original IP address to that pool of addresses.
One way to create a SNAT is to directly map one or more original IP addresses to a specific translation address that you choose. A SNAT that you create in this way is a type of standard SNAT. A standard SNAT is a SNAT object that you create using the New SNAT screen of the Configuration utility. For more information on standard SNATs, see Implementing a SNAT.
Another way to create a SNAT is to use a feature of the BIG-IP system called SNAT automap. The SNAT automap feature automatically maps one of the systems self IP addresses to the original IP address you specify during SNAT creation. When you use this feature, you do not need to explicitly specify a translation address.
You can also create a SNAT by creating a pool of translation addresses and then mapping an original IP address to the entire translation pool. This pool of translation addresses is known as a SNAT pool. You create a SNAT pool using the New SNAT Pool screen of the Configuration utility. For information on creating a SNAT pool, see Implementing a SNAT.
Once you have created a SNAT pool and mapped it to an original IP address, and the virtual server then receives a packet from the original IP address, the BIG-IP system chooses a translation address from that SNAT pool. The system then translates the original IP address to the chosen address.
By creating a SNAT object.
A SNAT that you create this way, using the New SNAT screen in the Configuration utility, is a type of standard SNAT. For more information on standard SNATs, see Creating a standard SNAT.
By writing an iRule.
In this case, you do not create a SNAT object. Instead, you write an iRule that includes a snat or snatpool command. The type of SNAT that you create by writing an iRule is called an intelligent SNAT. An intelligent SNAT is the mapping of one or more original client IP addresses to a translation address through the use of an iRule. For more information on intelligent SNATs, see Creating an intelligent SNAT.
Yet another way to create a SNAT is to create a SNAT pool (using the New SNAT Pool screen of the Configuration utility) and directly assign it to a virtual server as a resource of that virtual server. Once you have assigned a SNAT pool to a virtual server, the BIG-IP system automatically maps all original IP addresses coming through the virtual server to that SNAT pool. As with intelligent SNATs, you do not create a SNAT object, with the New SNAT screen, in the Configuration utility. For more information on this type of SNAT, see Assigning a SNAT pool directly to a virtual server.
If you decide to use a SNAT pool as the way to specify translation addresses in your SNAT, you must first create the SNAT pool, specifying one or more translation addresses that you want to include in the SNAT pool. You create a SNAT pool using the Configuration utility. For background information on SNAT pools, see Mapping a specific original IP address to a pool of translation addresses.
After creating the SNAT pool, you then create the type of SNAT that best suits your needs (a standard SNAT, an intelligent SNAT, or a SNAT pool that you assign directly to a virtual server). To understand the different types of SNATs that you can create, see Implementing a SNAT.
The list of IP addresses that you want to include in SNAT pool. If the IP addresses that you add are not already designated as translation addresses, the BIG-IP system automatically designates them as such and assigns them the appropriate properties with their default values. This setting is required.
Each translation address that you add to the SNAT pool has settings that you can configure after you add the address to the SNAT pool. For information on these settings, see Specifying a translation address.
Reference the SNAT pool from within a SNAT object that you create. You do this when you create a standard SNAT. For more information, see Creating a standard SNAT.
Reference the SNAT pool from within an iRule and then assign the iRule to a virtual server as a resource. You do this when you create an intelligent SNAT. For more information, see Creating an intelligent SNAT.
1.
On the Main tab, expand Local Traffic, and click SNATs.
The SNATs screen opens.
2.
On the menu bar, click SNAT Pool List.
This displays a list of existing SNAT pools.
4.
For the Name setting, type a unique name for the SNAT pool.
5.
In the Member List section, type an IP address.
6.
Click Add.
8.
Click Finished.
Before implementing secure network address translation, you should decide which type of SNAT you want to create. The types of SNATs you can create are:
Standard SNAT
A standard SNAT is an object you create, using the Configuration utility, that specifies the mapping of one or more original client IP addresses to a translation address. For this type of SNAT, the criteria that the BIG-IP system uses to decide when to apply the translation address is based strictly on the original IP address. That is, if a packet arrives from the original IP address that you specified in the SNAT, then the BIG-IP system translates that address to the specified translation address.

There are three types of standard SNATs that you can create:
Intelligent SNAT
Like a standard SNAT, an intelligent SNAT is the mapping of one or more original client IP addresses to a translation address. However, you implement this type of SNAT mapping within an iRule instead of by creating a SNAT object. For this type of SNAT, the criteria that the BIG-IP system uses to decide when to apply a translation address is based on any piece of data you specify within the iRule, such as an HTTP cookie or a server port.
SNAT pool assigned as a virtual server resource
This type of SNAT consists of just a SNAT pool that you directly assign as a resource to a virtual server. When you implement this type of SNAT, you create a SNAT pool only; you do not need to create a SNAT object or an iRule.
You create a standard SNAT using the Configuration utility. The translation address or addresses that you map to an original IP address can be either a specific IP address, an existing SNAT pool, or a self IP address (using the automap feature).
When you create a standard SNAT, the BIG-IP system automatically assigns a set of properties to the SNAT. While you must configure the Name and Translation settings at the time that you create the SNAT, you can use the default values for the other settings, or modify those values later.
1.
On the Main tab, expand Local Traffic, and click SNATs.
The SNATs screen opens.
3.
For the Name setting, type a unique name for the SNAT.
4.
For the Translation setting, select IP Address, SNAT Pool, or Automap.
5.
If you selected IP Address or SNAT Pool, type an IP address or select a SNAT pool name.
7.
Click Finished.
Table 19.2 shows the settings that you can configure for a SNAT. Following the table are detailed descriptions of each setting.
Depending on the value selected, specifies an individual IP address, a SNAT pool name, or the Automap option. Possible values are: IP Address, SNAT Pool, or Automap.
Specifies the original client IP addresses to which you want to map a translation address or pool of translation or self IP addresses. Possible values are All Addresses or Address List.
The most basic setting you can configure for a standard SNAT is the SNAT name. SNAT names are case-sensitive and may contain letters, numbers, and underscores (_) only. Reserved keywords are not allowed.
The Translation setting specifies the translation addresses that you want to map to your original client IP addresses. For background information on translation addresses, see Mapping original IP addresses to translation addresses.
IP Address
When creating a SNAT, you can specify a particular IP address that you want the SNAT to use as a translation address. For the procedure on specifying a particular translation address, see To explicitly define a translation address.
SNAT pool
Specifying this value allows you to specify an existing SNAT pool to which you want to map your original client IP address. For information on SNAT pools and how to create them, see Creating a SNAT pool. For an example of a standard SNAT that uses a SNAT pool, see Example 1 - Establishing a standard SNAT that uses a SNAT pool.
Automap
Similar to a SNAT pool, the SNAT automap feature allows you to map one or more original client IP addresses to a pool of translation addresses. However, with the SNAT automap feature, you do not need to create the pool. Instead, the BIG-IP system effectively creates a pool for you, using all of the BIG-IP systems self IP addresses as the translation addresses for the pool.
When you specify a translation address or a SNAT pool, the BIG-IP system automatically assigns a set of properties to that translation address. You can use the default values for these properties, or you can change them to suit your needs. Table 19.3 lists and describes the properties of a translation address.
The state of the translation address, that is, enabled or disabled. If set to disabled, the translation address is not used to initiate a connection.
A limit on the number of connections a translation address must reach before it no longer initiates a connection. The default value of 0 indicates that the setting is disabled.
A timer that defines the number of seconds that TCP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are Indefinite or Specify.
A timer that defines the number of seconds that UDP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are Indefinite or Specify.
A timer that defines the number of seconds that IP connections initiated using a SNAT address are allowed to remain idle before being automatically disconnected. Possible values are Indefinite or Specify.
The Origin setting specifies the original client IP addresses that you want to map to translation addresses. You can add one IP address or multiple IP addresses as values for this setting.
The VLAN Traffic setting specifies the VLANs to which you want the SNAT to apply. Possible values are: ALL VLANS, Enabled On, and Disabled On.
One way to perform secure address translation is to create an intelligent SNAT. As described previously, an intelligent SNAT is not a SNAT object, but instead an iRule that maps of one or more original client IP addresses to a translation address. To create an intelligent SNAT, you must complete these tasks:
If you are mapping an original IP address to a SNAT pool (as opposed to an individual translation address), use the New SNAT Pools screen to create one or more SNAT pools that include those translation addresses as members. For more information, see To create a SNAT pool.
Use the New iRule screen to create an iRule that includes the snat or snatpool command. These iRule commands specify the translation address or the pool of translation addresses that the BIG-IP system should use to select a translation address. For more information on iRules, see the F5 Networks DevCentral web site http://devcentral.f5.com, and Chapter 18, Writing iRules.
From the Resources screen for the appropriate virtual server, assign the iRule as a resource to the virtual server. For more information on virtual servers, see Chapter 6, Configuring Virtual Servers.
Rather than creating a SNAT object, or an intelligent SNAT using an iRule, you have the option of simply creating a SNAT pool and then assigning it as a resource directly to a virtual server. This eliminates the need for you to explicitly define original IP addresses to which to map translation addresses.
A network translation address (NAT) provides an alias IP address that a node can use as its source IP address when making or receiving connections to clients on the external network. (This distinguishes it from a SNAT, which can initiate but not receive a connection.)
The IP addresses that identify nodes on the internal network need not be routable on the external network. This protects nodes from illegal connection attempts, but it also prevents nodes (and other hosts on the internal network) from receiving direct administrative connections, or from initiating connections to external servers, such as mail servers or databases.
Using NATs solves this problem. NATs assign to a particular node a routable IP address that the node can use as its source IP address when connecting to external servers. You can use the NAT IP address to connect directly to the node through the BIG-IP system, rather than having the BIG-IP system send the traffic to a random node according to the specified load balancing method.
Note: Note that NATs do not support port translation, and are not appropriate for protocols that embed IP addresses in the packet, such as FTP, NT Domain or CORBA IIOP.
You must create a separate NAT for each node, using the Configuration utility. When you create a NAT, you configure a set of properties. While you must configure the NAT Address and Origin Address settings at the time that you create the NAT, you can use the default values for the other settings, or modify those values later.
1.
On the Main tab, expand Local Traffic, and click SNATs.
The SNATs screen opens.
3.
In the upper right corner, click Create.
The New NAT screen opens.
4.
In the NAT Address box, type the IP address that you want to use as a translation address.
5.
In the Origin Address box, type the original client IP address to be translated.
7.
Click Finished.
Table 19.4 shows the settings that you can configure for a NAT, with a description of each.
A setting that instructs the BIG-IP system to respond to ARP requests from the specified NAT address, and send gratuitous ARP requests for router table updates.
In addition to these options, you can set up forwarding virtual servers that allow you to selectively forward traffic to specific addresses.
The IP address defined in the Origin Address box must be routable to a specific server behind the system.
Using the Configuration utility, you can manage existing SNATs in many ways. For example, you might want to view a list of existing SNAT pools before creating a new one. Or you might want to modify the way that a standard SNAT maps an original IP address to a translation address.
1.
On the Main tab, expand Local Traffic, and click SNATs.
This displays a list of existing SNATs.
If you want to view or modify a NAT, find the NAT List menu, and click a NAT address.
1.
On the Main tab, expand Local Traffic, and click SNATs.
This displays a list of existing SNATs.
2.
On the menu bar, click SNAT Pool List.
This displays a list of existing SNAT pools.
1.
On the Main tab, expand Local Traffic, and click SNATs.
2.
On the menu bar, click SNAT Translation List.
This displays any existing translation addresses.
5.
Click Finished.
1.
On the Main tab, expand Local Traffic, and click SNATs.
This displays a list of existing SNATs.
2.
On the menu bar, click SNAT Translation List.
This displays a list of existing translation addresses.
1.
On the Main tab, expand Local Traffic, and click SNATs.
This displays a list of existing SNATs.
If you want to delete a SNAT, locate the SNAT you want to delete, and check the Select box on the left.
If you want to delete a NAT, click NAT List on the menu bar, locate the NAT you want to delete, and check the Select box to the left.
1.
On the Main tab, expand Local Traffic, and click SNATs.
This displays a list of existing SNATs.
2.
On the menu bar, click SNAT Pool List.
This displays a list of existing SNAT pools.
1.
On the Main tab, expand Local Traffic, and click SNATs.
This displays a list of existing SNATs.
2.
On the menu bar, click SNAT Translation List.
This displays a list of existing translation addresses.
When configuring a load balancing pool, you can specifically disable SNAT or NAT translations on any connections that use that pool. By default, this setting is enabled. For more information, see Chapter 5, Configuring Load Balancing Pools.
1.
On the Main tab, expand Local Traffic, click SNATs.
2.
On the menu bar, click SNAT Translation List.
3.
Click the name of the address you want to enable or disable.
The properties screen for the SNAT opens.
4.
From the State setting, select either Enabled or Disabled.
5.
Click the Update button.
The following examples demonstrate ways to implement SNATs that make use of SNAT pools. The examples illustrate how you can:
Note: To best illustrate SNATs that use SNAT pools, the following examples show sample entries from the BIG-IP systems bigip.conf file. Entries in the bigip.conf file represent the result of using the Configuration utility to configure the BIG-IP system.
In some cases, you might need to create a SNAT that maps an original IP address to a SNAT pool instead of to an individual translation address. To illustrate this type of SNAT, suppose an ISP wants to provide two customers with two routable IP addresses each, for links to the Internet. The customers need to use these routable IP addresses as virtual IP addresses for inbound traffic to their own servers, and as translation addresses for outbound traffic from their servers.
Figure 19.1 bigip.conf entries for a basic load balancing pool
pool isp_pool {
lb_method rr
member 199.5.6.254:0
member 207.8.9.254:0
}
Next, the ISP creates three SNAT pools: customer1_snatpool, customer2_snatpool, and other_snatpool. This is shown in Figure 19.2. Note that the BIG-IP system automatically designates the SNAT pool members as translation addresses.
Figure 19.2 bigip.conf entries for three SNAT pools
snatpool customer1_snatpool {
member 199.5.6.10
member 207.8.9.10
}
snatpool customer2_snatpool {
member 199.5.6.20
member 207.8.9.20
}
snatpool other_snatpool {
member 199.5.6.30
member 207.8.9.30
}
Finally, using the Configuration utility, the ISP creates a SNAT that maps each original IP address directly to the appropriate SNAT pool. Figure 19.3 shows these mappings as they appear in the bigip.conf file.
Figure 19.3 bigip.conf entries that map original addresses to SNAT pools
snat map {
192.1.1.10 192.1.1.11 to snatpool customer1_snatpool
}

snat map {
192.1.1.20 192.1.1.21 to snatpool customer2_snatpool
}

snat map default to snatpool other_snatpool
If you want to base SNAT mapping on criteria other than the original client IP address, such as a server port, you can write an iRule and specify a SNAT pool within the iRule. In this case, you use the SNAT screens in the Configuration utility to create a SNAT pool only, and not an actual SNAT object.
For example, suppose a user such as an ISP has two redundant connections to the Internet. In addition, the ISP handles many simultaneous CHAT connections (using port 531), and wants to avoid exhausting the supply of server-side client ports. Finally, the ISP wants to collect statistics separately for CHAT, SMTP, and all other traffic. In this case, configuring an intelligent SNAT is the best way to choose the translation address.
First, the ISP creates a load balancing pool called out_pool. In the bigip.conf file, the pool looks like the sample in Figure 19.4.
Figure 19.4 bigip.conf entries for a pool to be used in an intelligent SNAT
pool out_pool {
lb_method round_robin
member 199.5.6.254:0
member 207.8.9.254:0
}
Next, as shown in Figure 19.5, the ISP uses the Configuration utility to create a SNAT pool called chat_snatpool containing four IP addresses: 199.5.6.10, 199.5.6.11, 207.8.9.10, and 207.8.9.11. The BIG-IP system automatically designates these IP addresses as translation addresses during creation of the SNAT pool. These addresses correspond to each of the two next hop networks that are to be used for CHAT traffic. In the bigip.conf file, the SNAT pool looks like the sample in Figure 19.5.
snatpool chat_snatpool {
member 199.5.6.10
member 199.5.6.11
member 207.8.9.10
member 207.8.9.11
}
Next, for each translation address, the ISP uses the Configuration utility to change the timeout value for TCP connections to 600.
Then the ISP creates a second SNAT pool, smtp_snatpool containing two translation addresses: 199.5.6.20 and 207.8.9.20. Each address corresponds to one of the two next hop networks that are to be used for SMTP traffic. In the bigip.conf file, the SNAT pool looks like the sample in Figure 19.6.
snatpool smtp_snatpool {
member 199.5.6.20
member 207.8.9.20
}
Next, the ISP creates the SNAT pool other_snatpool for all other traffic (that is, non-CHAT and non-SMTP traffic), where each IP address corresponds to one of the two next hop networks that are to be used by all other traffic. This is shown in Figure 19.7.
snatpool other_snatpool { \SNAT pool definition
member 199.5.6.30
member 207.8.9.30
}
Then the ISP writes an iRule that selects both a SNAT pool, based on the server port of the initiating packet, and the load balancing pool out_pool. Figure 19.9, shows how the iRule specifies the command TCP::local_port to indicate the type of packet data to be used as a basis for selecting translation addresses. The iRule also shows the command snatpool (shown in Figure 19.8) to specify the SNAT pools from which the BIG-IP system is to select the translation addresses.
rule my_iRule {
when SERVER_CONNECTED
if ( TCP::local_port equals 531 ) {
use snatpool chat_snatpool
}
else if ( TCP::local_port equals 25 ) {
use snatpool smtp_snatpool
}
else {
use snatpool other_snatpool
}
use pool out_pool
}
The if statement in the iRule instructs the BIG-IP system to test the value of server port specified in the header of the client request. Based on the results, the BIG-IP system selects both a SNAT pool and a load balancing pool.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)