Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Dear all,

I'm a newbie of F5. I have some issue to ask for your suggestion.

When I have server stay behind F5, how can I config F5 to allow the server access internet via SNAT.

** For my testing 
          1.  I can access internet when I configure with NAT
          2.  When I configure via virtual server to allow forwarding IP with all protocol, It's work but the F5 doesn't NAT the IP of server (can access internet)
          3.  When I tried to configure SNAT with address list, it cannot access internet.

 

Best regards,


19 Answer(s):

Have you tried to use SNAT Automap? Alternatively, can you expand on 3) above? You'll need to use an SNAT Pool.

Dear Steve,

Thank you for your suggestion. but Can you show me some configuration example?

Because I have confuse with this issue,

When I use SNAT to NAT IP server I need to do VS to allow access internet too right? But when I use NAT I do not to do VS to allow access internet although the server can access internet.

 

Best regards,

 

Sure, but I'll need a bit more info, primarily is the 2.x network in your diagram public address space? In other words, if we SNAT to 2.2.2.254 (or rather whaever it really is) is that OK?

Dear steve,

 

Yes it is.

 

Best regards,

OK, so see the attached screenshot of how a VS for this might look.

Dear Steve,

Thanks you for your suggestion, I can allow my server to access internet with this configure below. (refer 

But I still have any question to ask you (Pls help me ^^).

For another one, I would like to allow ssh protocol to remote my server (refer below). So I tried to configure SNAT to map original server to external IP (VIP) (2.2.2.100 --> 1.1.1.100) and config VS to allow ssh protocol to access the VIP (2.2.2.100) with SNAT, but it doesn't work. (I already configure nat port forwarding on my router).

Hi  Steve,

For allow Server to access internet I configured (refer: F5-routing-to-internet.jpg)

For new question SNAT configured (refer: SNAT-ssh_server.jpg) and VS configured (refer: VIP-ssh_server.jpg)

 

Best regards

Sorry, the pictures are not shown, can you try again please; edit your post and ensure you click 'display as link'. Thanks

Dear Steve,

FYR

 

Bests regards,

OK, so the outbound is working yes?

Regarding the SSH server, can you clarify the direction of traffic flow please?

Steve,

For the outbound is working.

About the SSH Server the direction like this.

 

internet ----> router (with static nat to VS of F5) -----> F5 (with SNAT to IP ssh server and port 22) -----> SSH server
(public IP)  -------->    3.3.3.200  ------------------------------------------> 2.2.2.200 (22)   ----------------------------------->  1.1.1.100 (22)

 

Best regards

OK, so it's SSH inbound. Your router does a NAT from 3.3.3.200 to 2.2.2.200 (the diagram actually shows .100). You've a IP Forwarding VIP listening on 2.2.2.200:22, with SNAT Automap configured.

The issue here is the type of VS. A IP Forwarding VS simply routes traffic on, it doesn't do any destination NAT. What you need here is to configure the real server in a Pool, change the VS to type Standard, leave the SNAT Automap and get rid of the ssh-server SNAT. It should work just fine then. Let me know how you get on.

Steve,

Thank yous for support, it's works when I tried to change type to "standard" and create pool to assign into VS.

 

PS. so the next one I plan to testing about WA feature. ^^

Best regards,

Great news, you're welcome. Good luck with WA.

Hi Steve,

For good news, I have new issue to ask you for suggestion ^^.

Now I would like to know how can I show or find log from F5, because I want to know what source IP address from external access to the F5 (VIP) or what the source original IP of server that map to which IP on SNAT pool.

 

Best regards,

You can use logs statements like so before and after the snat in the rule;

log local0. "Source IP is: [IP::addr [IP::client_addr]"

 Hi Steve,

Too late response. I tried like your suggestion but the result before and after they same.

## diagram for testing ##


       PC1 --------- F5 --------- PC2
    2.2.2.100                       1.1.1.100

             snat-pool: 2.2.2.251, 2.2.2.252

 

## iRule ##

Irule when SERVER_CONNECTED {
  log local0. "client_addr [IP::client_addr]"
  log local0. "remote_addr [IP::remote_addr]"
  snatpool snat-pool
  log local0. "client_addr [IP::client_addr]"
  log local0. "remote_addr [IP::remote_addr]"
}

 

## Log on F5 ##

Fri Jan 4 23:37:49 PST 2013 info tmm tmm[7275]   Rule /Common/check-ip : client_addr 1.1.1.100
Fri Jan 4 23:37:49 PST 2013 info tmm tmm[7275]   Rule /Common/check-ip : remote_addr 2.2.2.100
Fri Jan 4 23:37:49 PST 2013 info tmm tmm[7275]   Rule /Common/check-ip : client_addr 1.1.1.100
Fri Jan 4 23:37:49 PST 2013 info tmm tmm[7275]   Rule /Common/check-ip : remote_addr 2.2.2.100
 
 
## tcpdump on F5 ##
 
23:37:49.227371 arp who-has 2.2.2.100 tell 2.2.2.10
23:37:49.228908 arp reply 2.2.2.100 is-at 00:0c:29:97:68:87 (oui Unknown)
23:37:49.228921 IP 2.2.2.252 > 2.2.2.100: ICMP echo request, id 50436, seq 1, length 64
23:37:49.229939 arp who-has 2.2.2.252 tell 2.2.2.100
23:37:49.229952 arp reply 2.2.2.252 is-at 00:0c:29:20:a0:43 (oui Unknown)
23:37:49.230929 IP 2.2.2.100 > 2.2.2.252: ICMP echo reply, id 50436, seq 1, length 64
23:37:50.230056 IP 2.2.2.252 > 2.2.2.100: ICMP echo request, id 50436, seq 2, length 64
23:37:50.231023 IP 2.2.2.100 > 2.2.2.252: ICMP echo reply, id 50436, seq 2, length 64
23:37:50.625324 IP 2.2.2.1.17500 > 2.2.2.255.17500: UDP, length 112
23:37:51.232533 IP 2.2.2.252 > 2.2.2.100: ICMP echo request, id 50436, seq 3, length 64
23:37:51.233963 IP 2.2.2.100 > 2.2.2.252: ICMP echo reply, id 50436, seq 3, length 64
 
Thanks you
Didn't Nitass answer this in another of your posts?
yes it is my answer.

Your answer:

You must be logged in to reply. You can login here.