Forum Discussion

jaddie_85451's avatar
jaddie_85451
Icon for Nimbostratus rankNimbostratus
Feb 21, 2014

Routing Question

Ok I am having an issue with administrative access to a server. Here is the setup I have a VS on an external-VLAN 100 of 10.100.1.1 this load balances a single server on an internal VLAN of 200. The server (single NIC) 10.200.1.10 is using the self-IP of the f5 as the DG so 10.200.1.1 and is pointing All RFC 1918 addresses to go out that interface. I have set up a Forwarding VS to get the server out the default route 0.0.0.0 (public routable IP) } ltm virtual VLAN200-Forwarding { destination 0.0.0.0:any ip-forward mask any profiles { fastL4_stateless { } } snat automap translate-address disabled translate-port disabled vlans { LAN-VLAN200 } vlans-enabled

 

Here is the issue I can ping the server directly but I am unable to reach the server via Remote Desktop with the current config, if I change the FwdVS to snat none I can access the server via RDP but outbound access breaks.

 

My hunch is since this device sits on a routable network when I access the server directly it is bypassing the f5 to get to the device and then return traffic is going out the DG of the f5 which equals Asymmetric routing.

 

Any thoughts or hints on how to set this up different

 

application delivery
design
LTM
TMOS

3 Replies

Sort By
  • Chris_Wentland's avatar
    Chris_Wentland
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2014

    If you have return traffic that goes direct from VLAN 200 to internal hosts, you will need to set up a second forwarding virtual server. The FVS matches destination traffic, and tells it how it is to be treated. With automap enabled, you are essentially talking to the server IP, and hearing back from the Automap address which will never work. Create the second forwarding VS as shown below where 10.x.x.x is your internal management network range. The LTM will match the MOST SPECIFIC virtual server to handle the traffic, therefore internal traffic will not use automap, but external will.

     

    VLAN200-Forwarding { destination 10.x.x.x:any ip-forward mask any profiles { fastL4_stateless { } } snat none translate-address disabled translate-port disabled vlans { LAN-VLAN200 } vlans-enabled

     

    Alternately, I think you could also set up an iRule to look for the destination address to belong to a group, and disable SNAT when the destination is in your group of internal addresses. That can be applied to the original Forwarding Virtual Server.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 23, 2014

    Here is the issue I can ping the server directly but I am unable to reach the server via Remote Desktop with the current config

     

    where is rdp client? is it coming from external vlan 100?

     

    what ip does rdp client connect to? is it real server ip (10.200.1.10)?

     

    if yes, have you tried to configure network forwarding ip virtual server (e.g. 10.200.1.0:any/0) listening on external vlan 100?

     

  • jaddie_85451's avatar
    jaddie_85451
    Icon for Nimbostratus rankNimbostratus
    Feb 26, 2014

    Thank you both for your response, I set up the second FVS as mentioned by Chris and this fixed the original issue, however it has introduced yet another issue where where traffic that was destined from a real server on the same internal VLAN using the f5 as the DG destined for VS on the external VLAN VIP side was no longer accessible. So in essence it can hit another internal server but it can get the VIP on the External back in to that server.

     

    Thank you both for your responses