SNAT problem on 9.3.1

Question

I currently have 1 pair of LTMs where my current configuration works, and one where it doesn't. Here is the setup:&nbsp;
1 KVM currently going to a switch with a private VLAN setup that only has 3 ports. 1 for the KVM port, and 1 port for each of the F5s. The F5s and KVM are setup within the same /24 network. This is all setup on the F5s in a VLAN called KVM. I'm trying to log into the KVM with a radius username and password that is verified on a Cisco ACS on a VLAN labeled as external on the F5. &nbsp;
I setup the SNAT so that the Translation is to an address on the same network as the ACS in the external VLAN which is not used by any other device. The origin is set for Address List, and that list only contains one IP address, which is the KVM address on the private KVM VLAN. It is enabled only on the KVM VLAN. &nbsp;
When I do a tcpdump on the external interface, I see the KVM private network address trying to go to the public ACS address. I should be seeing the SNAT address trying to reach the public ACS address.&nbsp;
I have this identical setup on a different LTM pair, and it works properly. It's just this set that doesn't work. I would prefer not to swap which LTM is active or standby, as if there is an issue, this device is difficult to physically access to fix any issues. Is there a log or service I might be able to check on the LTM in order to check why the SNAT isn't working?&nbsp;

boneyard · Answer

you probably heard it before, but 9.3.1? that is end of everything for quite some time now. it would be wise to look into upgrading / replacing.&nbsp;
as for the snat issue, don't know any log or such. how did you configure it, is the KVM (what is that btw, remote access device?) hitting a forwarding virtual server that applies the snat?&nbsp;
is that virtual server actually hit?&nbsp;

andy_barron_232 · Answer

I was using the Local Traffice &gt;&gt; SNATs &gt;&gt; SNAT List, and did have a forwarding virtual server, but it was a default route forwarding virtual server which was apparently causing me issues. I have the same default route forwarding virtual server on the setup that is working, but for some reason the SNAT works there. I set up a more specific forwarding virtual server, and used a SNAT pool with the IP address I wanted to use, and it is working.&nbsp;
Also in the case 2 option I had forgotten to choose UDP as my protocol which was causing it not to work. After you mentioned it I tried that and it worked great. I'm going with the forwarding virtual server method instead of the second method for future use. &nbsp;
Thank you for the help, I'm relatively new to the F5s and things like this are a great learning experience.&nbsp;

boneyard · Answer

you are welcome, great you were able to to solve it.&nbsp;

Forum Discussion

SNAT problem on 9.3.1

3 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

SNAT IP address logging

SNAT pool persistence

Source_Addr Persistence Problems

F5 SMTP Fast Template - SNAT Not working as expected

Selective SNAT problem