NCP -NAT

Question

Hello 
&nbsp;  
&nbsp; We want to use a NCP client through our bigip LTM v9.4, NCP client is located in our Local network, and the NCP Server is in the outside network. we have to use NAT in order to reach the NCP server (this cannot be avoided). The issue is that NAT just replaces the source IP from TCP headers, and NCP uses a referral header with the IP address from client (I think it goes on the payload). This header is not replaced, so NCP server cannot replay connections. 
&nbsp;  
&nbsp; So the question is: If it exists a way to change this header using iRules? I took a look at the wiki, and I didn't find anything about NCP protocol. 
&nbsp;  
&nbsp; Here you can find the documentation for NCP protocol and its issues related to NAT. 
&nbsp; http://www.novell.com/coolsolutions/feature/17156.html 
&nbsp;  
&nbsp; Any help will be appreciated. 
&nbsp; MRH

the_bhattman · Answer

I don't have NCP running but have you taken a look at the following 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/TCP__payload.html 
&nbsp;  
&nbsp; I hope this helps 
&nbsp;  
&nbsp; Bhattman

jrahm · Answer

It looks like you're going to need to account for not just the offset of the ncp header, but where in the data stream, if at all, the ip will be that you are looking to replace.  Is the field in a reliable location in every packet/flow, or does it change based on request type?  Might have to validate the appropriate request type first, then start searching for the right field to perform your replacements.  Sounds doable, but will need further analysis of some packet captures.  TCP::collect and TCP::payload, as Bhattman has indicated, will be your friends in this effort.  Might wanna look up TCL's binary scan command as well.

manuel_108718 · Answer

Thanks for your help,  those are good suggestions, I 'II take a look on it,  
&nbsp;  
&nbsp; I hope to answer soon. 
&nbsp;  
&nbsp; Regards &nbsp;

Forum Discussion

NCP -NAT

3 Replies

Recent Discussions

Advise on setting up IRULE

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Related Content

BIG-IP AFM設定例-NAT

Remove subnet from NAT pools without any impact

NAT traffic initiated by F5

Bulk Nat Creation

one private ip nat with 40 public ip address