BIGIP LTM - Outbound DESTINATION NAT

Question

Hello,&nbsp;
I have the following constraints. The customer has an instance in AWS. We have an IPSEC Tunnel between the F5 in the data center and AWS. The subnet used in AWS for various reasons cannot be routed inside our DC network. So for traffic initiated from AWS I have a forwarding VS that does SNAT and the routing layer between the F5 and the server has no issues as the SNAT IP is an IP on a internal subnet (say 1.0.0.1). However if the servers in the DC need to initiate the connection to servers outside, the only solution I can think of is using destination NAT. So the internal server (10.0.0.1) will send traffic to 1.0.0.2 and the F5 would need to NAT that destination to the real IP (say 192.168.1.2). 1to1 NAT is possible on the F5 but it always assumes a source IP being NATed not a destination IP. Any ideas how I can have the destination NAT done?&nbsp;
Thank you
Carol&nbsp;

petewhite · Answer

You can use a Layer 4 virtual server instead. ie a VS with the internal network IP of the AWS server ( 10.0.0.2 ), the pool member as the actual IP of the AWS server and use the SNAT to change the source address as well. You can set loose init and loose close on the fastL4 profile to make it act like a router.&nbsp;
The problem is that you are doing forwarding on your VS, where the destination address is not changed.&nbsp;

domokos_23867 · Answer

Thank you. I tried it and it seems to work fine.&nbsp;

petewhite · Answer

You can use a Layer 4 virtual server instead. ie a VS with the internal network IP of the AWS server ( 10.0.0.2 ), the pool member as the actual IP of the AWS server and use the SNAT to change the source address as well. You can set loose init and loose close on the fastL4 profile to make it act like a router.&nbsp;
The problem is that you are doing forwarding on your VS, where the destination address is not changed.&nbsp;

Forum Discussion

BIGIP LTM - Outbound DESTINATION NAT

3 Replies

Recent Discussions

F5 APM with OIDC Web Duo Prompt

F5 not sending traffic to Web pool

VPN fragmented IP packets dropped

Health Monitor via MGMT (DCDs)

F5Access | MacOS Sonoma

Related Content

Re: BigIP Report

BigIP Report Old

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

Behavior of outbound DNS query from LTM behavior

Block destination IP by source IP