Secure Network Address Translation (SNAT)

What is SNAT (Secure Network Address Translation)?

SNAT (Secure Network Address Translation) is a feature implemented in F5 BIG-IP Local Traffic Management (LTM), a load balancer provided by F5. SNAT modifies the source IP address of incoming packets, converting it to a different IP address. BIG-IP LTM also includes NAT functionality, which allows one-to-one mapping between private IP addresses and global IP addresses. While SNAT closely resembles NAT, it enhances functionality by enabling multiple original addresses to be mapped to a single translated address.

SNAT offers three methods for address translation:

1. Directly mapping one or more original addresses to a specific translated address.
2. Automatically selecting one from BIG-IP’s own IP addresses for address translation (SNAT Automap).
3. Using rules specifically defined in iRules (Intelligent SNAT).

A common use case for SNAT is modifying the source private IP address of outgoing requests from internal network servers to a global IP address. However, its primary function lies in handling address translation for incoming requests from external clients.

Typically, BIG-IP LTM receives packets from external clients, applies preconfigured rules to translate the destination global IP address to an internal private IP address, and forwards the packets to the server. Server responses are typically routed back through BIG-IP LTM, where the source private IP address of the server is translated back to a global IP address before being sent to the client.

However, certain network configurations disrupt this route. For example:

• In one-arm configurations, where the client, BIG-IP, and server reside in the same network, the server response bypasses BIG-IP and is sent directly to the client. As a result, the client rejects the response because the server's source IP address does not match the IP address the client originally requested.
• Even in more complex configurations, where BIG-IP separates the client and server segments, issues can arise if an intermediate router acts as the default gateway instead of BIG-IP, leading to similar routing problems.

SNAT resolves these issues by ensuring server responses always pass through BIG-IP. It accomplishes this by translating the source address of incoming packets to BIG-IP’s own IP address before forwarding them to the server, guaranteeing that responses return via BIG-IP.