What is SNAT in F5 Load Balancing? SNAT vs. Inline. What is a NAT?
If you’re new to F5 Networks Big IP devices and have just started dabbling in the world of Application Delivery and SNAT, you may find yourself asking some questions about address translation. The BigIP systems can perform address translation in 3 ways,SNAT, NAT, & Virtual Servers. We’ll also cover traffic BIG-IP LTMs handle and don’t do any address translation for, which we refer to as In-Line communication. Let’s dive into the wonderful world of Address translation.
What is SNAT?
I’ve seen SNAT referenced two ways in F5s documentation, Source Network Address Translation, and Secure Network Address Translation, both of which are correct. “Source” makes it’s easier to understand, because you are translating the “source” addresses of the client initiating traffic or as the devices references it the “origin”. It’s “Secure” because you can’t initiate traffic to a SNAT, the “translation” addresses are never known by the host initiating the traffic. In short a SNAT is made of up three components:
- Translation – Options: an IP address (single address), a SNAT Pool (multiple addresses), or an Automap(self IP(s) of the Local Traffic Manager). This is what the Source address of the client is translated to.
- Origin – Options: All addresses (everything coming in on the VLAN you specify, or an Address list (specific addresses you provide). These are indeed the source addresses of the client.
- VLAN Traffic – Options: All Vlans (every VLAN), Enabled on (only on the vlans specified), or Disabled on (on all vlans except the ones you specify)
The most common misunderstanding is how SNAT can be used. Unlike a traditional NAT, you can’t send traffic to a SNAT address. SNATs are either global (ie traffic coming through a LTM), or they can be associated with a Virtual Server. The first option is the hardest to get your head around, the second option, associating with a Virtual Server, is a lot easier to grasp and is usually everyone’s first exposure to SNAT, using “SNAT automap” applied to a virtual server. In both examples SNAT is generally used to solve routing issues and can be used with a variety of mappings but not limited to, one to one, many to one, all to one, etc etc. Let’s dive into the first option and see if we can get a better understanding of SNAT not applied to a Virtual Server, but affecting the LTM globally.
Global traffic and SNAT
Outbound Traffic- Translating the source address of many hosts on an internal non Internet routable subnet to one external Internet routable address is a common problem solved with SNAT. Think about how your home router works, it’s not the same but is a similar concept. When traffic hits the BigIP the ”origin” would equate to an “address list” you specify with all the hosts in it or “all addresses” for that specific VLAN, the “Translation” would be one single address.(in this example). The destination addresses now sees the “Translation” address as your new source. When traffic returns to the BigIP from the destination it is then translated back to the original origin address. It’s important to note, by default SNATs are allowed on all VLANs, but you can get more granular and split them out between multiple VLANs.
Virtual Servers and SNAT
Inbound Traffic- Virtual Servers can have SNATs applied to them effectively changing the source of the Client initiating traffic to the VS. Here’s the really cool part about SNATing, with SNAT anything you can route to you can load balance to! That my F5ers is a beautiful thing! You see, in most cases, the servers you want to load balance are NOT going to have the BigIP as their gateway, so unless you translate the source address to something that belongs to the BigIP, you’re going to end up routing “around” the BigIP and not “through” the BigIP. Resulting in your VS not working and what we call asymmetrical routing, a fancy term for traffic taking different routing paths in one direction or the other. Asymmetrical routing is not always going to break traffic, but when dealing with a stateful device, something that maintains a connection like the Full Proxy BigIP, asymmetrical routing can break your communication.