NAT for whole internal subnet

I'd avoid NATs and instead use a virtual server. A network virtual server would allow you to pass traffic from clients on the internal VLAN to the outside VLAN. You could configure a forwarding IP virtual server on 203.194.252.0/24 and enable it only on the internal VLAN. If you want LTM to perform source address translation on the LTM to destination host connections, you can enable SNAT automap on the VIP.

 

 

Aaron

But I have no dedicated server in 203.194.252.0/24 for internal hosts to access (that means my internal hosts might access different servers in 203.194.252.0/24) , so I cannot create a virtual server on 203.194.252.0/24.

 

 

Can SNAT help?

You could create a default SNAT, but a virtual server with SNAT enabled is going to be more specific and configurable than a SNAT. So do you want to basically route any requests from the internal hosts to any arbitrary destination host? If so, a 0.0.0.0:0 virtual server will work. Make sure to only enable it on the internal VLAN. If you have a pool of gateway servers you want to load balance, you'd want to add them to a gateway pool and use a Performance Layer4 VS with a FastL4 profile. If you just want to use the LTM routing table to send the traffic on, you can use a Forwarding IP VS.

 

 

You might try searching on AskF5 for phrases like "outbound access" or "virtual server types" for more details. The LTM config guide for your version will also have some useful reference material.

 

 

Aaron

finally I use SNAT for some of my internal hosts (192.168.0.x) to access ALL external (203.194.252.x). Thanks

But I have a question,

 

 

in my SNAT setting, I put

 

translation = ip address : 203.194.252.88 (203.194.252.x is extenal vlan)

 

Address list = 192.168.0.5, 192.168.0.6, 192.168.0.7

 

VLAN traffic = enabled on "internal VLAN" (192.168.0.x is internal vlan)

 

 

now, when the 3 internal hosts access 203.194.252.x, it is SNAT to 203.194.252.88, can I exclude some of the external hosts for this SNAT?

 

 

You can't restrict the destination IP addresses with a SNAT itself. But you could use packet filters to limit which destination addresses/subnets/ports the SNAT translation IP can connect to. You can check the LTM config guide for your version for details on packet filters.

 

 

Or you could use a forwarding virtual server with a FastL4 profile. With a forwarding VIP you can use an iRule to restrict source and destination subnets/hosts/ports. There are a few examples of this in the Codeshare (Click here):

 

 

AccessControlBasedOnIP - This iRule forwards traffic based on "trusted" source addresses.

 

AccessControlBasedOnNetworkOrHost - This iRule allows administrators to allow or deny access to a virtual server based IP/networks and ports.

 

 

Aaron

I cannot use forwarding virtual server as I should not put over 200+ hosts in the pool.

 

 

I cannot use packet filter.

 

 

The real case is,

 

- LTM has 3 vlan, external, internal, addition

 

- external and internal form a bridge vlan group, sharing same segment 192.168.0.x

 

- addition vlan is 10.10.10.x

 

 

LTM ip: 192.168.0.1, 192.168.0.88 (floating), 10.10.10.1

 

 

(A) when hosts in internal vlan access hosts in external vlan, it will automaticaly SNAT to 192.168.0.88 (I have set nothing about it)

 

 

(B) but internal hosts need to SNAT to 10.10.10.8 (for example) to access hosts in 10.10.10.x

 

 

so, I need to keep (A)and (B), but when I set SNAT to 10.10.10.8 for internal hosts to archeve (B), (A) cannot be maintained, it will SNAT to 10.10.10.8 as well to access external hosts.

 

 

any recommendation?

 

The idea behind a forwarding virtual server is that the destination address isn't translated and isn't sent to a pool. The request just goes out according to the routing table to the original destination IP address. If you want/need to translate the source IP you can enable SNAT on the forwarding virtual server.

 

 

I haven't worked much with VLAN groups, so I'm not sure whether the forwarding virtual server can be enabled only on the internal VLAN if you have it defined in a VLAN group.

 

 

Maybe someone else with more experience with VLAN groups can suggest a solution?

 

 

Aaron