Configuring SNATs

SNATs provide mappings between multiple nodes, often internal devices, and a SNAT address. The SNAT address is generally externally routable where the node’s address may not be. Connections cannot be initiated to a SNAT address. This is what makes SNATs more secure. When the BIG-IP system sees a connection initiation from a SNAT-associated address, the source address is translated from the actual address to the SNAT address. When the device responds, the SNAT address is converted back to the original address.

SNATs can be configured many ways. A one-to-one mapping allows a single host to initiate connections via the BIG-IP system. A many-to-one mapping allows a group of hosts to initiate connections via the BIG-IP system. An all-to-one mapping allows all hosts to initiate connections via the BIG-IP system. In all cases, the SNAT must be enabled on the VLAN where the client’s traffic initially arrives on the BIG-IP system. By default, SNATs are enabled on all VLANs. SNATs can also be configured within a virtual server definition.

How does a SNAT work?
A SNAT works in the following way:

1. The BIG-IP system receives a packet from an original client IP address and checks to see if that source address is defined in a SNAT.
2. If the client’s IP address is defined in a SNAT, the BIG-IP system changes that source IP address to the translation address defined in the SNAT.
3. The BIG-IP system then sends the client request, with the SNAT translation address as the source address, to the target server.
The end result of this process is that the target server has a routable IP address for the client that the server can specify as the destination IP address in its response.

Creating a SNAT pool

If you decide that you want to use a SNAT pool as the way to specify translation addresses in your SNAT, you must first create the SNAT pool, specifying one or more translation addresses that you want to include in the SNAT pool. You create a SNAT pool using the Configuration utility. For background information on SNAT pools
After creating the SNAT pool, you then create the type of SNAT that best suits your needs (a standard SNAT, an intelligent SNAT, or a SNAT pool that you assign directly to a virtual server). To understand the different types of SNATs that you can create.
A SNAT pool has two settings that you must configure when you create it.
1. Name
2. Member List

Each translation address that you add to the SNAT pool has settings that you can configure after you add the address to the SNAT pool. For information on these settings,

Once you create a SNAT pool, you must do one of the following:
1. Reference the SNAT pool from within a SNAT object that you create. You do this when you create a standard SNAT. For more information
2. Reference the SNAT pool from within an iRule and then assign the iRule to a virtual server as a resource. You do this when you create an intelligent SNAT.
3. Assign the SNAT pool directly to a virtual server as a resource.

To create a SNAT pool

  1. On the Main tab, expandLocal Traffic, and click SNATs.
    The SNATs screen opens.
  2. On the menu bar, clickSNAT Pool List.
    This displays a list of existing SNAT pools.
  3. In the upper-right corner of the screen, clickCreate.

Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a SNAT.

  1. For theName setting, type a unique name for the SNAT pool.
  2. For the Member Listsetting, type an IP address.
  3. Click Add.
  4. Repeat steps 5 and 6 for each translation address that you want to add.
  5. ClickFinished.

Implementing a SNAT

Before implementing secure network address translation, you should decide which type of SNAT you want to create. The types of SNATs you can create are:

  • Standard SNAT
    Astandard SNAT is an object you create, using the Configuration utility, that specifies the mapping of one or more original client IP addresses to a translation address. For this type of SNAT, the criteria that the BIG-IP system uses to decide when to apply the translation address is based strictly on the original IP address. That is, if a packet arrives from the original IP address that you specified in the SNAT, then the BIG-IP system translates that address to the specified translation address.

    There are three types of standard SNATs that you can create:

    • A SNAT in which you specify a specific translation address
    • A SNAT that uses the automap feature
    • A SNAT in which you specify a SNAT pool as your translation address
  • Intelligent SNAT
    Like a standard SNAT, anintelligent SNAT is the mapping of one or more original client IP addresses to a translation address. However, you implement this type of SNAT mapping within an iRule instead of by creating a SNAT object. For this type of SNAT, the criteria that the BIG-IP system uses to decide when to apply a translation address is based on any piece of data you specify within the iRule, such as an HTTP cookie or a server port.
  • SNAT pool assigned as a virtual server resource
    This type of SNAT consists of just a SNAT pool that you directly assign as a resource to a virtual server. When you implement this type of SNAT, you create a SNAT pool only; you do not need to create a SNAT object or an iRule.

Creating a standard SNAT

You create a standard SNAT using the Configuration utility. The translation address or addresses that you map to an original IP address can be either a specific IP address, an existing SNAT pool, or a self IP address (using the automap feature).

When you create a standard SNAT, the BIG-IP system automatically assigns a set of properties to the SNAT. While you must configure the Name and Translation settings at the time that you create the SNAT, you can use the default values for the other settings, or modify those values later.

Note: SNATs cannot reside in partitions. Therefore, a user’s ability to create and manage SNATs is defined by their user role, rather than their partition-access assignment. 

To create a standard SNAT

  1. On the Main tab, expandLocal Traffic, and click SNATs.
    The SNATs screen opens.
  2. In the upper-right corner of the screen, clickCreate.

Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a SNAT.

  1. For theName setting, type a unique name for the SNAT.
  2. For theTranslation setting, select IP Address, SNAT Pool, or Automap.
  3. If you selectedIP Address or SNAT Pool, type an IP address or select a SNAT pool name.
  4. Change or retain all other values.
  5. Click Finished.

Each SNAT that you define must have a unique name.

Specifying a translation address

The Translation setting specifies the translation addresses that you want to map to your original client IP addresses.

There are three possible values for the Translation setting:

  • IP Address
    When creating a SNAT, you can specify a particular IP address that you want the SNAT to use as a translation address. For the procedure on specifying a particular translation address.
  • SNAT pool
    Specifying this value allows you to specify an existing SNAT pool to which you want to map your original client IP address. For information on SNAT pools and how to create them. For an example of a standard SNAT that uses a SNAT pool.
  • Automap
    Similar to a SNAT pool, the SNAT automap feature allows you to map one or more original client IP addresses to a pool of translation addresses. However, with the SNAT automap feature, you do not need to create the pool. Instead, the BIG-IP system effectively creates a pool for you, using all of the BIG-IP system’s self IP addresses as the translation addresses for the pool.

Specifying original IP addresses

The Origin setting specifies the original client IP addresses that you want to map to translation addresses. You can add one IP address or multiple IP addresses as values for this setting.

Specifying VLAN traffic

The VLAN Traffic setting specifies the VLANs to which you want the SNAT to apply. Possible values are: ALL VLANSEnabled On, and Disabled On.

Creating an intelligent SNAT

One way to perform secure address translation is to create an intelligent SNAT. As described previously, an intelligent SNAT is not a SNAT object, but instead an iRule that maps of one or more original client IP addresses to a translation address. To create an intelligent SNAT, you must complete these tasks:

  • If you are mapping an original IP address to a SNAT pool (as opposed to an individual translation address), use the New SNAT Pools screen to create one or more SNAT pools that include those translation addresses as members.
  • Use the New iRule screen to create an iRule that includes thesnat or snatpool  These iRule commands specify the translation address or the pool of translation addresses that the BIG-IP system should use to select a translation address.
  • From the Resources screen for the appropriate virtual server, assign the iRule as a resource to the virtual server.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.