Forum Discussion
Configuration should be like below: F5 (10.X.X.X) --- > Firewall (172.x.x.) ---> NAT should be on firewall for 172.x.x.x to 200.x.x.x
You need to configure as mentioned below:
- Configure F5 VIP and pool member should be 172.x.x.x. For example pool member is 172.1.1.1
- You should create NAT on Firewall for 172.1.1.1 and it should map to public IP 200.1.1.1
- F5 should have routes towards firewall
- Firewall should have route towards internet.
I hope this helps.
- NoelMcK_381487Feb 17, 2019Nimbostratus
I assume the VIP is a 10.x.x.x addr on the inside? If that's the case, the F5 will perform the destination translation to the 172.1.1.1 outbound?
The destination IP that the 10.x.x.x servers will connected to could be any public IP. I should also mention that one of the other external legs of the F5 has a public IP range and connected to another interface on the FW. The default route for the F5 is pointing via this interface.
- RaghavendraSYFeb 17, 2019Altostratus
Can you please provide F5 interface IP address details. I am assuming like this.
F5 internal IP address is 10.x.x..x F5 external IP address is 172.x.x.x towards firewall. Firewall external IP address will be external IP's Firewall internal IP address will be internal IP's.
- NoelMcK_381487Feb 17, 2019Nimbostratus
Updated the diag
- RaghavendraSYFeb 17, 2019Altostratus
Then you need to configure like this: Configure F5 VIP as 10.x.x.x (SNAT should be automap) and pool member should be 172.x.x.x. For example pool member is 172.1.1.1 You should create NAT on Firewall for 172.1.1.1 and it should map to public IP 200.1.1.1 F5 should have routes towards firewall Firewall should have route towards internet
- RaghavendraSYFeb 17, 2019Altostratus
Above configuration should work for you.
- NoelMcK_381487Feb 17, 2019Nimbostratus
The dest IP of the internal servers (10.x.x.x) is any public IP. They will not target a 10.x.x.x VIP.
- RaghavendraSYFeb 17, 2019Altostratus
your internal servers should reach to 10.x.x.x vip, from there firewall and them internet.( It is a secure flow)
- NoelMcK_381487Feb 17, 2019Nimbostratus
"should reach" - what does this mean? do you mean "target"?
The internal servers can't target a single VIP as the destination IP that the 10.x.x.x servers will use is unknown, its just any public IP addr.
- RaghavendraSYFeb 17, 2019Altostratus
you mean there is no specfic public IP as destination? if yes, can you please let me know destination subnet, listening port etc..
- NoelMcK_381487Feb 17, 2019Nimbostratus
No specific public IP. Its an outbound sftp connection to any.