ok this ended up taking far more time then i expected, i was originally developing on a 3600/ 11.1 box... big mistake.. Then i couldn't get the node command to actually do anything for ages, until i found the translate command...........
There is no routing setup on the F5 at all all forwarding is via the set next_hop command
when CLIENT_ACCEPTED {
log local5. " vlan id is [LINK::vlan_id] src [IP::client_addr] dst [IP::local_addr]"
if { [LINK::vlan_id] == "200"} {
log local5. " vlan id is [LINK::vlan_id] inside "
if source matches in the data group snat it to the value of that entry
if { [class match [IP::client_addr] equals inside_patList_dg] } {
snat [class lookup [IP::client_addr] inside_patList_dg]
log local5. " inside snat lookup [class lookup [IP::client_addr] inside_patList_dg]"
}
set next_vlan f5-test-outside-transit
set next_hop 10.210.0.1%1
}
if { [LINK::vlan_id] == "210"} {
log local5. " vlan id is [LINK::vlan_id] outside "
if source matches in the data group snat it to the value of that entry
if { [class match [IP::client_addr] equals outside_patList_dg] } {
set test [class lookup [IP::client_addr] outside_patList_dg]
snat $test
log local5. "outside snat check worked new src [IP::client_addr] dst [IP::local_addr] test $test"
}
set next_vlan f5-test-inside-transit
set next_hop 10.200.0.1%1
}
if destination matches in the data group direct traffic to the value of the entry
if {[class match [IP::local_addr] equals natList_dg]}{
translate address enable
node [class lookup [IP::local_addr] natList_dg]
log local5. "outside node lookup [class lookup [IP::local_addr] natList_dg] src [IP::client_addr] "
}
log local5. "next hop vlan $next_vlan ip $next_hop"
nexthop $next_vlan $next_hop
}
the packet cap of victory
01:51:38.806639 IP 192.168.1.10.ewall > 10.10.0.10.microsoft-ds: S 3188598590:3188598590(0) win 65535
01:51:38.806753 IP 10.10.0.10.ewall > 192.168.1.10.microsoft-ds: S 3188598590:3188598590(0) win 65535
01:51:38.806638 IP 192.168.1.10.netdb-export > 10.10.0.10.netbios-ssn: S 1916429907:1916429907(0) win 65535
01:51:38.806773 IP 10.10.0.10.netdb-export > 192.168.1.10.netbios-ssn: S 1916429907:1916429907(0) win 65535
01:51:38.808348 IP 192.168.1.10.netbios-ssn > 10.10.0.10.netdb-export: S 1171958153:1171958153(0) ack 1916429908 win 65535
01:51:38.808354 IP 10.10.0.10.netbios-ssn > 192.168.1.10.netdb-export: S 1171958153:1171958153(0) ack 1916429908 win 65535
01:51:38.808605 IP 192.168.1.10.microsoft-ds > 10.10.0.10.ewall: S 3142739781:3142739781(0) ack 3188598591 win 65535
01:51:38.808610 IP 10.10.0.10.microsoft-ds > 192.168.1.10.ewall: S 3142739781:3142739781(0) ack 3188598591 win 65535
01:51:38.810366 IP 192.168.1.10.ewall > 10.10.0.10.microsoft-ds: . ack 1 win 65535
01:51:38.810369 IP 10.10.0.10.ewall > 192.168.1.10.microsoft-ds: . ack 1 win 65535
01:51:38.810618 IP 192.168.1.10.ewall > 10.10.0.10.microsoft-ds: P 1:138(137) ack 1 win 65535
01:51:38.810620 IP 10.10.0.10.ewall > 192.168.1.10.microsoft-ds: P 1:138(137) ack 1 win 65535