Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Tunnel default gateway in APM

Hi guys

I am wondering if there is any way to define a tunnel default gateway (like with Cisco ASA)? I like to force all VPN traffic from the F5 down to a firewall on the same subnet as the VPN pool. I want this so that I can control access on my firewall, where all other access is controlled as well.

Thanks!

/David

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

In APM you there isn't any routing configuration.
It's linked to your general configuration.

So if you want to go through your firewall for every requests, you have to define a default route in "Network -> Route"

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Thomas

Thanks - just what I suspected and what the current solution is. Unfortunately this only works for destinations that is not in the routing table, while directly connected interfaces will mess up the traffic pattern.

Could route domains be used to provide the users with a "clean" routing table?

/David

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

What you can do is to define your Self-IP in another subnet than the one used by your servers.

Even if you use route domain, it won't change anything because route domain is here to isolate different virtual servers for example. You can have different default route on different route domains, but your problem is still the subnet.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Another option is to configure a layer 4 virtual with a pool as the gateway next hop (example below):

ltm virtual v4_nexthop { destination 0.0.0.0:any mask any pool 192.168.0.1 profiles { fastL4 { } } source 192.168.0.128/28 translate-address disabled translate-port disabled vs-index 7 }

ltm pool 192.168.0.1 { members { 192.168.0.1:telnet { address 192.168.0.1 session monitor-enabled state up } } monitor gateway_icmp }

Alternatively, you can use just a layer 3 forwarding VIP and add the following iRule:

ltm rule v4_next_hop { when CLIENT_ACCEPTED { nexthop internal 192.168.0.1 log local0. "[IP::remote_addr]:[TCP::remote_port] > [IP::local_addr]:[TCP::local_port]" } }

Either works fine for sending traffic to a gateway other than what is configured in the TMOS routing table.

0