Forum Discussion

Haitham_Hadad_3's avatar
Haitham_Hadad_3
Icon for Nimbostratus rankNimbostratus
Mar 09, 2018

F5 Internal Server can't access internet without NAT

Hi,

 

We have an internal server connected to internal LAN of F5 LTM - F5 LTM is connected to 2 Huawei Active Active Firewalls. Server gateway is the self IP of F5 Forward IP Virtual server created on F5 for the internal VLAN a default route pointing to virtual address of the Huawei firewalls Huawei Firewalls have a route back to the internal server VLAN pointing to the external virtual server IP address of F5 Internal server can pint F5 internal and external interfaces self IPs and can ping external virtual server. But can't ping the Huawei Firewalls nor the internet router that is behind the firewalls F5 can pint the internet router with source address with internal VLAN Firewalls can ping external virtual server but can't ping the internal server VLAN

 

All setting on Firewalls are set good as per Firewall Engineer

 

Internet Access not working on internal server but incoming requests to the virtual server from the internet is working good and we can access the internal server from outside

 

Trying SNAT didn't help as we though it is not needed here

 

Doing NAT for the internal server ip address to the external F5 self IP address solve the issue and the server could access the internet

 

F5 Engineer confirmed we shouldn't use NAT as it is impossible to do this NAT to all the servers inside F5

 

So please help what may be the issue that is solved using the NAT ? and how the server could access the internet while having F5 as its gateway

 

Thanks Haitham

 

application delivery
BIG-IP
LTM

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Mar 09, 2018

    Haitham,

     

    You will need to translate the internal server IP address behind a publicly accessible IP of some sort at some point. I think the F5 engineer recommended not using NAT because NAT is a one-to-one mapping of an internal address and a translation address, so it doesn't scale very well. SNATs, on the other hand, can be a many to one translation, so you could specify a network range as the origin and then a single translated address. Hopefully this article helps: Nats and Snats.

     

    You could create the SNAT as the external virtual server address I believe.

     

    Hope this helps,

     

    N

     

  • Mahammad_381074's avatar
    Mahammad_381074
    Icon for Nimbostratus rankNimbostratus
    Jan 11, 2019

    Hi I am not able to reach VIP(inside server) from outside network in Wmware lab environment. I am new for FS, Please help me out. Inside network: 10.10.1.X/24 MGMT netwrk : 9.1.1.X/24 External Network : 192.168.1.X/24

     

    I changed SNAT to auto but still i am facing same problem.

     

    Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 external 9.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt 10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 internal 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm 127.7.0.0 127.1.1.253 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 external [root@BIG-IP-Lab-1:Active:Standalone] config

     

    [root@BIG-IP-Lab-1:Active:Standalone] config curl -H "Host: VIPIP" http://10.10.1.11/monitor/bigip.html Server Up [root@BIG-IP-Lab-1:Active:Standalone] config