SNAT and NAT Examples

To best illustrate SNATs that use SNAT pools, the following examples show sample entries from the BIG-IP system’s bigip.conf file. Entries in the bigip.conf file represent the result of using the Configuration utility to configure the BIG-IP system.

Example 1 – Establishing a standard SNAT that uses a SNAT pool

In some cases, you might need to create a SNAT that maps an original IP address to a SNAT pool instead of to an individual translation address. To illustrate this type of SNAT, suppose an ISP wants to provide two customers with two routable IP addresses each, for links to the Internet. The customers need to use these routable IP addresses as virtual IP addresses for inbound traffic to their own servers, and as translation addresses for outbound traffic from their servers.

In this case, the SNAT provides the solution. To implement the SNAT, the ISP takes the following three steps.

First, the ISP creates the load balancing pool isp_pool, shown in Figure 13.1 .

Figure 13.1 bigip.conf entries for a basic load balancing pool
pool isp_pool {

lb_method rr

member 199.5.6.254:0

member 207.8.9.254:0

}

Next, the ISP creates three SNAT pools: customer1_snatpoolcustomer2_snatpool, and other_snatpool. This is shown in Figure 13.2 . Note that the BIG-IP system automatically designates the SNAT pool members as translation addresses.

Figure 13.2 bigip.conf entries for three SNAT pools
snatpool customer1_snatpool {

member 199.5.6.10

member 207.8.9.10

}

snatpool customer2_snatpool {

member 199.5.6.20

member 207.8.9.20

}

snatpool other_snatpool {

member 199.5.6.30

member 207.8.9.30

}

Finally, using the Configuration utility, the ISP creates a SNAT that maps each original IP address directly to the appropriate SNAT pool. Figure 13.3 shows these mappings as they appear in the bigip.conf file.

Figure 13.3 bigip.conf entries that map original addresses to SNAT pools
snat map {

192.1.1.10 192.1.1.11 to snatpool customer1_snatpool

}

snat map {

192.1.1.20 192.1.1.21 to snatpool customer2_snatpool

}

snat map default to snatpool other_snatpool

Example 2 – Establishing an intelligent SNAT

If you want to base SNAT mapping on criteria other than the original client IP address, such as a server port, you can write an iRule and specify a SNAT pool within the iRule. In this case, you use the SNAT screens in the Configuration utility to create a SNAT pool only, and not an actual SNAT object.

For example, suppose a user such as an ISP has two redundant connections to the Internet. In addition, the ISP handles many simultaneous CHAT connections (using port531), and wants to avoid exhausting the supply of server-side client ports. Finally, the ISP wants to collect statistics separately for CHAT, SMTP, and all other traffic. In this case, configuring an intelligent SNAT is the best way to choose the translation address.

To implement the intelligent SNAT, the ISP takes the following steps.

First, the ISP creates a load balancing pool called out_pool. In the bigip.conf file, the pool looks like the sample in Figure 13.4 .

Figure 13.4 bigip.conf entries for a pool to be used in an intelligent SNAT
pool out_pool {

lb_method round_robin

member 199.5.6.254:0

member 207.8.9.254:0

}

Next, as shown in Figure 13.5 , the ISP uses the Configuration utility to create a SNAT pool called chat_snatpool containing four IP addresses: 199.5.6.10199.5.6.11,207.8.9.10, and 207.8.9.11. The BIG-IP system automatically designates these IP addresses as translation addresses during creation of the SNAT pool. These addresses correspond to each of the two next hop networks that are to be used for CHAT traffic. In the bigip.conf file, the SNAT pool looks like the sample in Figure 13.5 .

Figure 13.5 A SNAT pool definition for CHAT traffic
snatpool chat_snatpool {

member 199.5.6.10

member 199.5.6.11

member 207.8.9.10

member 207.8.9.11

}

Next, for each translation address, the ISP uses the Configuration utility to change the timeout value for TCP connections to 600.

Then the ISP creates a second SNAT pool, smtp_snatpool containing two translation addresses: 199.5.6.20 and 207.8.9.20. Each address corresponds to one of the two next hop networks that are to be used for SMTP traffic. In the bigip.conf file, the SNAT pool looks like the sample in Figure 13.6 .

Figure 13.6 A SNAT pool definition for SMTP traffic
snatpool smtp_snatpool {

member 199.5.6.20

member 207.8.9.20

}

Next, the ISP creates the SNAT pool other_snatpool for all other traffic (that is, non-CHAT and non-SMTP traffic), where each IP address corresponds to one of the two next hop networks that are to be used by all other traffic. This is shown in Figure 13.7 .

Figure 13.7 A SNAT pool definition for all other traffic
snatpool other_snatpool { \SNAT pool definition

member 199.5.6.30

member 207.8.9.30

}

Then the ISP writes an iRule that selects both a SNAT pool, based on the server port of the initiating packet, and the load balancing pool out_pool. Figure 13.9 , shows how the iRule specifies the command TCP::local_port to indicate the type of packet data to be used as a basis for selecting translation addresses. The iRule also shows the command snatpool (shown in figure 13.8 ) to specify the SNAT pools from which the BIG-IP system is to select the translation addresses.

Figure 13.8 Example of an iRule that references an intelligent SNAT
rule my_iRule {

when SERVER_CONNECTED

if ( TCP::local_port equals 531 ) {

use snatpool chat_snatpool

}

else if ( TCP::local_port equals 25 ) {

use snatpool smtp_snatpool

}

else {

use snatpool other_snatpool

}

use pool out_pool

}

The if statement in the iRule instructs the BIG-IP system to test the value of server port specified in the header of the client request. Based on the results, the BIG-IP system selects both a SNAT pool and a load balancing pool.

As a final step, the ISP assigns the iRule as a resource to a wildcard virtual server, as shown in Figure 13.9 .

Figure 13.9 Assignment of an iRule to a wildcard virtual server
virtual 0.0.0.0:0 use rule my_iRule

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.