Forum Discussion

Jeepha_42175's avatar
Jeepha_42175
Icon for Nimbostratus rankNimbostratus
Dec 14, 2008

Newbie Question. Big IP as Gateway v4.5

Hello,

 

 

I have recently taken over for another technician that was 'excused' due not getting projects completed. One of my tasks is implementing this F5 to load balance two https servers.

 

 

This is a LTM 2400 series running 4.5. It has been sitting in the rack since it was purchased new without being configured. (One of his unfinished projects). So it is currently out of support, and updating the kernel is probably not going to happen. It is pretty simple what I need to do, and so far all is going well except I cannot get my nodes to browse the internet. Here is what I have done so far:

 

 

Big ip has two enabled interfaces, one on the outside world with a public IP, and the other with a local ip. I have two web servers on the internal IP network that need to be accessed by the world. They both are using the internal interface of the BIG IP as their gateways. they are able to resolve DNS, however they cannot browse accross the BigIP. I have created a virtual server and can effectivly browse the sites on the Nodes from the Internet via the virtual server.

 

 

The problem I am having is accessing the Internet from the web servers. I have tried creating a wildcard forwarding server with ip 0.0.0.0/0.0.0.0, but still no dice. Here are the settings:

 

 

Virtual Server 0.0.0.0:0

 

Status ENABLED

 

Virtual Server Address Status: Enabled

 

Enable translation: NO

 

Enable Reset on Service Down: No

 

Enable Connection Rebind: NO

 

Enable ARP: YES

 

Enable Reset on Timeout:YES

 

Disable FasFlow Acceleration: NO

 

Connection Limit: 0

 

Last hop pool: choose

 

No disabled LAnS

 

Resources Forwarding

 

 

I have been reading posts all day that refer to Creating a FastL4 Profile...but I dont believe that option is available to me on this version. I am sure I am missing something very basic, but the solution eludes me. Please give me a hand if you can.

 

 

Thank you Very much

 

Curtis
config
design

4 Replies

Sort By
  • strongarm_46960's avatar
    strongarm_46960
    Icon for Nimbostratus rankNimbostratus
    Dec 14, 2008
    Curtis, There far too many variables at play here, its hard to point at one particular entity.

     

     

    First of all, signup for & join askf5, then download & read this admin guide thoroughly ⇒ https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg_IPswitch_942.html , and other related searched manual.

     

     

    After reading it, then ask your manager politely explaining the huge task ahead gathered from the manual, that the requested job requires a new set of skill and therefore requires them to sponsor you on a Websecurity & F5 LTM course.

     

     

    FastL4 Profile is not your problem.

     

     

    Incidentally, Curtis, why are you trying to access the Internet from the web servers? Instead, you should be trying to access your web-servers from the Net?

     

     

    Not a good idea security wise opening up your network with wild cards.

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 15, 2008
    Without addressing potential security issues, from a technical perspective you should be able to pass this traffic if you configure SNAT on the wildcard VIP. This ensures BIG-IP performs source address translation on outbound requests.

     

     

    Aaron
  • Jeepha_42175's avatar
    Jeepha_42175
    Icon for Nimbostratus rankNimbostratus
    Dec 30, 2008

     

     

    Thank you for your reply. I apologize for not getting back to you sooner, but I had several projects that came up with priority.

     

     

    I have two unroutable internal web servers that need to get out to the Internet. Inbound works fine through the F5. The external interface of the F5 is sitting on the Internet and not firewalled.

     

     

    I have tried the SNAT solution you outlined. I created a new SNAT:

     

     

    Translation Address: AUTOMAP

     

    Enable ARP: Checked

     

    Origin Address:

     

    10.100.20.61

     

    10.100.20.62

     

    Netmask not defined

     

    Origin Vlan: internal

     

    Disabled Vlans: None

     

     

    I am confused on this suggestion from you:

     

    "Note that if you do that you have to check the Allow SNAT checkbox on that self-ip definition as well."

     

    I am not sure where I am to apply this.

     

     

    Thank you for your help.

     

     

    Curtis
  • Jeepha_42175's avatar
    Jeepha_42175
    Icon for Nimbostratus rankNimbostratus
    Jan 06, 2009
    Thank you very much for your help.

     

     

    This is all working perfectly now.

     

     

    Thanks again,

     

     

    Curtis