This is what I am trying to accomplish and I need some help.
----------
| Client |
----------
|
|
----------
| BigIP |
----------
|
| <---- untrusted side of the CAS servers; VS created with IP 10.60.98.11, VLAN 351
----------------------
| Cas1, cas2 or cas3 |
| |
----------------------
|
| <---- trusted side of the CAS servers; VLAN 5
---------
| BigIP |
---------
|
|
--------------
| DNS or LDAP | <----- The response should go back to the trusted side of ths CAS servers
---------------
Traffic originates from the client subnet 10.60.250.x/24 and destined for DNS or LDAP.
Policy based routing forces the traffic to untrusted side of the CAS VS 10.60.98.11
Since the destination is not the VS, the traffic hits the wild card VS on the LTM. The irule checks for client IP range and forces the traffic to the untrusted CAS pool
The following irule is applied to the wildcard VS of 0.0.0.0/0.0.0.0
when CLIENT_ACCEPTED {
log local0. "client IP is [IP::client_addr]"
apply this rule to the wildcard VS since the destination is LDAP or DNS.and it is going to hit the wildcard VS
if { [IP::addr [IP::client_addr]/24 equals 10.60.250.0] } {
pool cas_untrusted_https_pool
persist source_addr 3600
}
}
Based on the selected CAS, SNAT the client IP.so that we will know which CAS was selected and also set the cas_selected variable.
when LB_SELECTED {
Check the CAS server and do SNAT
log local0. "LB server addr is [LB::server addr]"
if { [IP::addr [LB::server addr] equals 10.60.252.6] } {
snat 10.60.253.246
set ::cas_selected "10.60.252.6"
log local0. "selected CAS is $::cas_selected"
forward
} elseif { [IP::addr [LB::server addr] equals 10.60.252.7] } {
snat 10.60.253.247
set ::cas_selected "10.60.252.7"
log local0. "selected CAS is $::cas_selected"
forward
} elseif { [IP::addr [LB::server addr] equals 10.60.252.8] } {
snat 10.60.253.248
set ::cas_selected "10.60.252.8"
log local0. "selected CAS is $::cas_selected"
forward
}
}
The traffic gets automatically routed to the trusted side of the cas server The default gateway for the CAS servers is the self-IP on vlan 5.
This traffic hits the forwarding server that is enabled only on vlan 5. In this case, I expect the source IP as the SNAT IP as above but it is not happening. If the SNAT in the above irule works correctly, the following irule should have worked.
I tried SNAT automap first so that the return traffic from the DNS and LDAP server would comes back to the trusted side of the CAS but it blocks administrative traffic like SSH and https.
So, I created another irule which is
when CLIENT_ACCEPTED { <------------------ I do not know what event I need to check since this is the outbound traffic from
log local0. "selected CAS-second is $::cas_selected" the CAS servers and all I am trying to do is force the return traffic
if { $::cas_selected equals "10.60.252.6" } { to come back to the same CAS server on the trusted side so that
snat 10.60.253.254 it can't be SNATed back and sent to the client.
forward
} elseif { $::cas_selected equals "10.60.252.7" } {
snat 10.60.253.253
forward
} elseif { $::cas_selected equals "10.60.252.8" } {
snat 10.60.253.252
forward
}
}
I pictured it several times and it seems like it should work but still I am missing something, Any help would be appreciated.