Forum Discussion

tranchungdt5_93's avatar
tranchungdt5_93
Icon for Nimbostratus rankNimbostratus
Jul 15, 2009

Can't ping from Internal Vlan to Internet ?

Hi all.

 

I have a box BIG-IP LTM (with license both of LTM & LinkController ).

 

I have 2 ADSL as:

 

---------------- ------------------

 

- 203.162.0.1 - - 210.245.0.1 -

 

---------------- ------------------

 

| |

 

| |

 

| |

 

---------------------------------------------------

 

- 203.162.0.4 210.245.0.4 -

 

- F5 LTM -

 

- 172.16.1.1

 

---------------------------------------------------

 

|

 

ASA 5550

 

|

 

|

 

Clients

 

-------------------------------------------------

 

This diagram need to do these:

 

1. Link Controler help me domain name for application: mail, web, vpn name.

 

2. VPN site-to-site from Internet (Cisco Router) to ASA (Vir 203.162.0.7; Vir210.245.0.7).

 

3. SSL VPN, Ipsec VPN from Internet to ASA (Vir 203.162.0.7)

 

4. Loadbalance for http, smtp protocol to DMZ server. (Vir 203.162.0.5, 2; Vir210.245.0.5)

 

5. Client from Internal vlan can go to Internet by 2 ADSL line

 

And the IP forwarding for ASA to outbound with SNAT. SNAT make BIG-IP choose correct gate-way to go out. SNAT enable in internal vlan.

 

 

Default-gateway of BIG-IP is pool (203.162.0.1; 210.245.0.1) .

 

And these are the value for varialbe.

 

Box

 

F5LTM 3400-01

 

Tham số

 

Giá trị

 

VLANs

 

ExtLeaseline1

 

ExtLeaseline2

 

Internal

 

Self IPs

 

ExtLeaseline1: 203.162.0.2/28 FloadingIP: 203.162.0.1

 

ExtLeaseline2: 210.245.0.2/28 FloadingIP: 210.245.0.1

 

Internal: 172.30.1.4/24 FloadingIP: 172.30.1.3

 

A default Gateway pool

 

Pool with member

 

203.162.0.1

 

210.245.0.1

 

Links

 

Primary: 203.162.0.1

 

Secondary: 210.245.0.1

 

Outbound SNAT

 

Snat_ Automap with InternetVlan

 

Pool

 

• Pool_Web Member: 172.30.1.6 (172.30.1.6 is Nat ip address of ASA for Web server)

 

• Pool_Mail Member: 172.30.1.7 (172.30.1.7 Nat ip address of ASA for MailServer)

 

• Pool_VPN Member: 172.30.1.1

 

• Pool_Router Member: 203.162.0.4; 210.245.0.4

 

Virtual Servers

 

• VS_Web1: 203.162.0.5 (80) Pool: Pool_Web

 

• VS_Web2: 210.245.0.5 (80) Pool: Pool_Web

 

• VS_Mail: 203.162.0.6 (*) Pool: Pool_Mail

 

• VS_VPN: 203.162.0.7 (*) Pool: Pool_VPN

 

Listeners

 

ListernerOutbound1: 203.162.0.1

 

ListernerOutbound2: 210.245.0.1

 

Wide IPs

 

• www.baoviet.com.vn

 

o Member: VS_Web1, VS_Web2.

 

• mail.baoviet.com.vn

 

o Member: VS_Mail.

 

• vpn.baoviet.com.vn

 

o Member: VS_VPN.

 

Outbound VS

 

• VS_Outbound: 0.0.0.0

 

o IP Forwarding

 

o Lasthop Pool: Pool_Outbound

 

Could you tell me this config is correct for boxF5 ?

 

When I configed this, I ‘ve checked it okia. But Client from Internal, or ASA can’t ping to Internet (they still telnet, or access Web...). I check SOL9616 solution from ask f5 and upgrade my box to ver 9.4.7 but it still can't ping to Internet.

 

Could you help me, plz

 

Thanks & Regards
config
design

7 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 15, 2009
    Do you have VS_Outbound set for all protocols? Also, if the ICMP is going through a SNAT, you'll need to enable all protocols for SNAT as well. You can see SOL7366 for details:

     

     

    SOL7366: Configuring the BIG-IP LTM to pass ICMP traffic

     

    https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7366.html

     

     

    Aaron
  • tranchungdt5_93's avatar
    tranchungdt5_93
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2009
    Thank you very much.

     

    I have fixed it with SNAT with all traffic.

     

    Thank you again.

     

    And, could you help me with solution "how to choose the gateway router to go out if I have 4 ADSL gateways". Example, with Mail, Web, I choose Leaseline Internet, and others I choose 4ADSL Internets.

     

    Help me, plz

     

    Thanks
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 17, 2009
    If you want to select a different gateway (or gateway pool) for different protocols, it would be easiest to create a separate pool for each gateway and then create separate virtual servers (0.0.0.0:80, 0.0.0.0:443, 0.0.0.0:25, etc) for each protocol which points at the relevant pool. Make sure to enable the wildcard virtual servers only on the VLANs which you want to accept traffic from. You probably don't want to have the VIPs enabled on the external VLAN or any other which is connected to an untrusted subnet.

     

     

    Aaron
  • tranchungdt5_93's avatar
    tranchungdt5_93
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2009
    Thank you for reply my answer.

     

    With "How to choose the gateway to go out", I have to config to choose the gateway with ip of client. With ip of DMZ server, F5 box choose gateway LeaseLine, with ips of Internet Client, F5 choose gateway ADSL.

     

    Could I use I-rule for Virtual IP Forwarding to choose the ADSL pool or Leaseline pool ?

     

    And if I use Virtual Wildcard Server 0.0.0.0 (UDP&TCP) with pool is Leaseline pool. I don't know it different from Virtual IP Forwarding or not ? Because when I replace Virtual Wildcard Server 0.0.0.0 with Virtual IP Forwarding, F5 box still work okia.

     

    Could you help me understand more ?

     

    Thanks alot

     

    Tran Chung
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 17, 2009
    Yes, you could use an iRule to select a pool based on the client IP address. Here is an example from cmbhatt:

     

     

    Select specific Node based on incoming src IP

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3315733175

     

     

    You can use matchclass (Click here) to check the client IP address against an address type datagroup with one or more hosts/subnets. Or to compare the client iP address against a single IP address or subnet, you can use IP::addr (Click here).

     

     

    It would be easier to configure the virtual server to select the pool based on the VLAN the client connects to the VIP from. If you could do that, you could just have one VIP per incoming VLAN and not bother with an iRule.

     

     

    Aaron
  • tranchungdt5_93's avatar
    tranchungdt5_93
    Icon for Nimbostratus rankNimbostratus
    Jul 19, 2009
    Thank you Aaron very much.

     

    Today, I remove the Virtual IP Forwarding 0.0.0.0 to go you LeaseLine pool and the result is: Internal Clients still go to Internet, traffics go from Internet to Web, Mail are okia. It stiall works until I remove the default-gateway is pool of LeaseLine gateway.

     

    So, I wonder, what purpose of using Virtual IP Forwarding 0.0.0.0 ?

     

    And with I-rule I have created, I match this I-rule to what Virtual server to go out?

     

    Could you help me understand more, plz.

     

    Thank alot.

     

    TC
  • BPetronio_11363's avatar
    BPetronio_11363
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2010
    Hello tranchungt5, all,

     

     

    I'm making your example as a case study of a Link Controller configuration, cause i found very similar requesits for my future instalation.

     

     

    When i was reading your configuration i could understand some mismatch on addressing scheme. I have very few hours of BIGIP, so it could be fault of knowledge by my side. Im sorry if it so.

     

     

    1. The "203.162.0.1 - - 210.245.0.1" are the ip's of the isp routers u are connecting to ? If im correct, why are you saying u have that same floating ip address ?

     

    2. The links are configured with that router address's, but and the uplink address ? do u left blank ?

     

    3. What are the ip "203.162.0.4 - - 210.245.0.4" corresponding to ? In the scheme i understood it would be the self ip address(floating i guess), but on the configuration list, they are referenced as "Pool_Router" members.

     

    4. In the "inside" u have on the scheme that 172.16.1.1 would be internal ip address(that's what i understood), but u are referencing 172.30.1.3 as Internal Floating IP Address.

     

    5. Regarding VPN connections, there are any tricky issue we must implement on FW, regarding the header manipulation? In fact the vpn is established between ASA and other sites/clients... And ASA will be represented by a Virtual Server with a public IP Address. (Im thinking in NAT Traversal or others)

     

     

     

    I would appreciate your comments.

     

     

    Many Thanks,

     

    Bruno Petrónio