101 · Question #77
Given the configuration shown below, if a connection request arrived on the BIG-IP with a source address of 200.10.10.10:1050 and a destination of 150.10.10.75:80, what would the source IP address of
The correct answer is C. 10.10.1.I00B.10.10.1.100. The incoming connection to 150.10.10.75:80 matches VS_network (not VS_web), which applies snatpool client_pool; the BIG-IP selects 10.10.1.100 as the SNAT source because it is on the same subnet as the pool members.
Question
Given the configuration shown below, if a connection request arrived on the BIG-IP with a source address of 200.10.10.10:1050 and a destination of 150.10.10.75:80, what would the source IP address of the associated packet be when it arrived on the choosen member of the web_pool self 150.10.10.1 { netmask 255.255.255.0 unit I floating enable vlan external allow tcp https } self 10.10.1.1 { netmask 255.255.255.0 unit I floating enable vlan internal allow default } pool web_pool { member 10.10.1.11:80 member 10.10.1.12:80 member 10.10.1.13:80 }snatpool client_pool { member 10.10.1.100 member 150.10.10.15 }virtual VS_web { destination 150.10.10.10:80 ip protocol tcp snat automap pool web_pool }virtual VS_network{ destination 150.10.1 0.0:any mask 255.255.255.0 snatpool client_pool ip protocol tcp pool web_pool } virtual VS_network { destination 150.10.1 0.0:any mask 255.255.255.0 snatpool client_pool ip protocol tcp pool web_pool } virtual VS_network { destination 150.10.10.0:any mask 255.255.255.0 snatpool client_pool ip protocol tcp pool web_pool }
Options
- A10.10.1.IA.10.10.1.1
- B200.10.10.I0D.200.10.10.10
- C10.10.1.I00B.10.10.1.100
- D150.10.10.15C.150.10.10.15
How the community answered
(19 responses)- A11% (2)
- B5% (1)
- C63% (12)
- D21% (4)
Why each option
The incoming connection to 150.10.10.75:80 matches VS_network (not VS_web), which applies snatpool client_pool; the BIG-IP selects 10.10.1.100 as the SNAT source because it is on the same subnet as the pool members.
10.10.1.1 is a floating self IP on the internal VLAN, not a member of snatpool client_pool, so it is never used as a SNAT source address.
200.10.10.10 is the original client source IP; SNAT replaces this address - the client IP is never forwarded to pool members when SNAT is active.
The destination 150.10.10.75:80 does not match VS_web (which requires exactly 150.10.10.10:80) but does match VS_network's wildcard destination 150.10.10.0/24:any. VS_network references snatpool client_pool containing 10.10.1.100 and 150.10.10.15. Because the web_pool members (10.10.1.11-13) reside on the 10.10.1.0/24 internal subnet, the BIG-IP selects 10.10.1.100 from client_pool as the translated source address since it is routable on that same internal VLAN.
150.10.10.15 is a member of client_pool but belongs to the external 150.10.10.0/24 subnet, making it an inappropriate source address for traffic destined to the internal 10.10.1.0/24 pool members.
Concept tested: F5 BIG-IP SNAT pool address selection with wildcard virtual server matching
Source: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-local-traffic-management-getting-started-with-nat/big-ip-local-traffic-management-getting-started-with-nat.html
Topics
Community Discussion
No community discussion yet for this question.