ICMP from the server pool

Question

I have what is probably a really basic question, but I cannot find an answer in any of the ASM docs. 
&nbsp;  
&nbsp; I have a pair of ASM 4100's that I have just started to configure. These are setup as inline active passive. 
&nbsp;  
&nbsp; Behind them, I have two web servers in different pools with separate VIP's. 
&nbsp;  
&nbsp; I have SNAT's setup so that the server owners can access those servers for maintenance. 
&nbsp;  
&nbsp; From the actual server on the backside (pool) they cannot ping anything beyond the F5's.  Do I need to create another SNAT for the reverse? The customers are freaked out that they cannot ping out from the servers, even though they really don't need too. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Len 
&nbsp;  
&nbsp;

hooleylist · Answer

Hi Len, 
&nbsp;  
&nbsp; SOL7366 (Click here) details the steps required to allow ICMP through a SNAT: 
&nbsp;  
&nbsp;  
&nbsp; A SNAT passes ICMP traffic when SNAT Packet Forwarding is set to All Traffic. The All Traffic setting specifies that the BIG-IP system forwards any IP packets originating from a SNAT member for all traffic types. 
&nbsp;  
&nbsp; To configure a SNAT to forward all traffic, perform the following procedure: 
&nbsp;  
&nbsp;    1. Log in to the Configuration utility. 
&nbsp;    2. Click System, then click General Properties. 
&nbsp;    3. From the Local Traffic menu, select General. 
&nbsp;    4. Change the SNAT Packet Forwarding setting to All Traffic. 
&nbsp;    5. Click Update. 
&nbsp; &nbsp; 
&nbsp;  
&nbsp; What type of SNAT(s) have you defined? 
&nbsp;  
&nbsp; Aaron

ljb_107563 · Answer

I have two VIP-Pool mappings. One for the http/s service and the other for any port/protocol.  I built the SNAT and everything is working perfectly, I just cant ping from the server to the public side. 
&nbsp;  &nbsp;

hooleylist · Answer

Are you able to make a TCP based request from the hosts to the destination they want to be able to ping through the SNAT?  If so, you should just need to set the global option for SNAT packet forwarding to 'All Traffic'. 
&nbsp;  
&nbsp; If you try that, are you able to ping from the pool members to the destination(s)? 
&nbsp;  
&nbsp; Aaron

ljb_107563 · Answer

Yes, they can access any service (backup, ftp, etc) to any server, but to those same servers, no icmp... 
&nbsp;  
&nbsp;  
&nbsp; &gt;global option for SNAT packet forwarding to 'All Traffic'. 
&nbsp;  
&nbsp; I am lost as to where you set global options for the SNAT.  I have them set to all VLANS, but I dont see all traffic unless you aare talking about the vip or the pool settings. &nbsp;

ljb_107563 · Answer

DOH! 
&nbsp; Thanks a million... I just went through and figured it out. I was thinking pool/vip, you were talking SNAT only.  That worked, thanks.

Forum Discussion

ICMP from the server pool

5 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

icmp of management firewall

Server Profile SNI

ICMP Custom Source Address Monitor

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM