LC balancing inbound and outbound static NAT

Question

I have a situation in which I need to link balance two ISP links for several “inside” firewalls. Servers behind the firewalls initiate traffic outbound to the Internet, through the Big-IP Link Controllers. Some of the Internet service providers expect one of the two specific IP addresses (one each ISP’s address space) in order to accept a service request. I can only define NAT for one of the two ISP addresses – trying to use ISP2’s address, after setting up NAT with ISP1’s address, I get the “duplicate index” error on the inside address (the firewall’s outside address).  
&nbsp; The problem with using a static NAT in this scenario, obviously, is if the Link Controller balances the outbound connection through ISP2’s link, (1) the ISP2 router will not forward an “invalid” source address, and also (2) the return traffic will only ever use ISP1.  
&nbsp; Is there a way, perhaps using an iRule, to specify an outbound, destination NAT address to use for a session, after the link balance decision is made, from an address in the selected ISP’s address space?

dennypayne · Answer

LC should always use SNAT automap for outbound traffic, rather than a NAT.  Automap will pick the self-ip to use from the correct ISP space corresponding to each link.  It should be applied to your outbound wildcard (0.0.0.0) virtual server(s). 
&nbsp;  
&nbsp; Denny

chip_tesch_1839 · Answer

Thanks for your reply. It will use SNAT Automap, but the issue there is that all users will use the same outbound IP address, rather than a specific one we'd like to assign to specific services. In other words, all inside users would appear to be the authorized address. Granted, there is more security than just IP address, but we'd like to be able to specify outbound IP addresses, as we can with inbound, for access to these services. We're wondering if anyone has been able to achieve that. 
&nbsp; Thanks again for your reply.

kris_52344 · Answer

you can achieve this with SNAT Pool

Forum Discussion

LC balancing inbound and outbound static NAT

3 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

SSLO in public cloud: Azure inbound L3 use case

F5 BIG-IP SSLO in public cloud: AWS inbound L3 use case

Active/Active load balancing examples with F5 BIG-IP and Azure load balancer

SSL Orchestrator Advanced Use Cases: Inbound Authentication

SSL Orchestrator Use Case: Inbound SNI Switching