NAT and VS Forwarding Issue

Question

Hi:&nbsp;
I have one server need to access WAN and Internet, I create one VS Forwarding for WAN and One NAT for Internet,
The LTM has three interface, one for internal, one for WAN, and one for Internet connection.&nbsp;
I enable VS Forwarding on Internal interface, enable NAT on Internet Interface
Routing configuration are all correct.&nbsp;
But the problem is when the server need access to the WAN network, the NAT always translate the IP to the public IP address, even I never enable the NAT on the WAN interface.&nbsp;
But When I delete the NAT, the server can access the WAN correctly.&nbsp;
My OS version is BIG-IP 11.3.0 Build 3138.0 Hotfix HF7. Anybody face the same problem?&nbsp;

nitass_89166 · Accepted Answer

e.g.
 nat

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
ltm nat nat1 {
    inherited-traffic-group true
    originating-address 200.200.200.101
    traffic-group traffic-group-1
    translation-address 172.28.20.15
    vlans {
        internal
    }
    vlans-enabled
}

virtual server

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
ltm virtual wildcard {
    destination any:0
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 26
}

irule to send wan and internet to corresponding gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
    pool wangw
  } else {
    pool netgw
  }
}
}

wan gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
ltm pool wangw {
    allow-nat no
    members {
        172.28.20.16:0 {
            address 172.28.20.16
        }
    }
}

internet gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
ltm pool netgw {
    members {
        172.28.20.254:0 {
            address 172.28.20.254
        }
    }
}

internet traffic (source ip is nated to 172.28.20.15)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:39:20.714137 IP 200.200.200.101.46442 &gt; 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
08:39:20.714270 IP 172.28.20.15.46442 &gt; 192.168.206.171.80: S 1529194290:1529194290(0) win 5840

wan traffic (source ip is not nated)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:40:15.302032 IP 200.200.200.101.59834 &gt; 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
08:40:15.304022 IP 200.200.200.101.59834 &gt; 172.28.26.70.80: S 3450625808:3450625808(0) win 5840

nitass · Answer

do you know all wan address server has to access?&nbsp;
if yes, you may create two virtual servers; one is network virtual server for wan and the other one is wildcard virtual server for internet. then enable snat automap/snatpool under the wildcard virtual server (do not use snat list).&nbsp;

zhu_shaofeng_14 · Answer

Yes, I know all the wan servers need to be accessed.&nbsp;
But Must I create two VS?&nbsp;
One VS for Forwarding (WAN), One NAT (Internet) will not work?&nbsp;
Please correct me, thanks&nbsp;

nitass · Answer

But Must I create two VS?&nbsp;
One VS for Forwarding (WAN), One NAT (Internet) will not work?&nbsp;

nat creates both source and destination listener objects. so, it will be applied to wan traffic.&nbsp;
sol9038: The order of precedence for local traffic object listeners&nbsp;
http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html&nbsp;
to disable nat for wan traffic, you can disable allow-nat under wan gateway pool configuration.&nbsp;

zhu_shaofeng_14 · Answer

Hi Nitass:

Thanks a lot ! It works!

Forum Discussion

NAT and VS Forwarding Issue

7 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Regex issue

Remove subnet from NAT pools without any impact

F5 GTM resolution issue

Nodes forwarding

Irule Example Issue