Forum Discussion

NoelMcK_381487's avatar
NoelMcK_381487
Icon for Nimbostratus rankNimbostratus
Feb 17, 2019

Outbound SNAT with private external address

I need to setup an outbound sftp connection from the 10.x.x.x servers to the Internet beyond the FW. Configuring a SNAT outbound from source 10.x.x.x servers to a source 200.x.x.x/32 address on the F5 would seem to be the best/most secure option. (FW will have route for return traffic to 200.x.x.x/32 via its 172.x.x.x interface)

 

How does the F5 know which interface to push the translated traffic out to?

 

Is there route I need to add for the 200.x.x.x/32 address with the 172.x.x.x interface as next hop?

 

30 Replies

  • Configuration should be like below: F5 (10.X.X.X) --- > Firewall (172.x.x.) ---> NAT should be on firewall for 172.x.x.x to 200.x.x.x

     

    You need to configure as mentioned below:

     

    1. Configure F5 VIP and pool member should be 172.x.x.x. For example pool member is 172.1.1.1
    2. You should create NAT on Firewall for 172.1.1.1 and it should map to public IP 200.1.1.1
    3. F5 should have routes towards firewall
    4. Firewall should have route towards internet.

    I hope this helps.

     

    • NoelMcK_381487's avatar
      NoelMcK_381487
      Icon for Nimbostratus rankNimbostratus

      I assume the VIP is a 10.x.x.x addr on the inside? If that's the case, the F5 will perform the destination translation to the 172.1.1.1 outbound?

       

      The destination IP that the 10.x.x.x servers will connected to could be any public IP. I should also mention that one of the other external legs of the F5 has a public IP range and connected to another interface on the FW. The default route for the F5 is pointing via this interface.

       

    • RaghavendraSY's avatar
      RaghavendraSY
      Icon for Altostratus rankAltostratus

      Can you please provide F5 interface IP address details. I am assuming like this.

       

      F5 internal IP address is 10.x.x..x F5 external IP address is 172.x.x.x towards firewall. Firewall external IP address will be external IP's Firewall internal IP address will be internal IP's.

       

  • Configuration should be like below: F5 (10.X.X.X) --- > Firewall (172.x.x.) ---> NAT should be on firewall for 172.x.x.x to 200.x.x.x

     

    You need to configure as mentioned below:

     

    1. Configure F5 VIP and pool member should be 172.x.x.x. For example pool member is 172.1.1.1
    2. You should create NAT on Firewall for 172.1.1.1 and it should map to public IP 200.1.1.1
    3. F5 should have routes towards firewall
    4. Firewall should have route towards internet.

    I hope this helps.

     

    • NoelMcK_381487's avatar
      NoelMcK_381487
      Icon for Nimbostratus rankNimbostratus

      I assume the VIP is a 10.x.x.x addr on the inside? If that's the case, the F5 will perform the destination translation to the 172.1.1.1 outbound?

       

      The destination IP that the 10.x.x.x servers will connected to could be any public IP. I should also mention that one of the other external legs of the F5 has a public IP range and connected to another interface on the FW. The default route for the F5 is pointing via this interface.

       

    • RaghavendraSY_7's avatar
      RaghavendraSY_7
      Icon for Cumulonimbus rankCumulonimbus

      Can you please provide F5 interface IP address details. I am assuming like this.

       

      F5 internal IP address is 10.x.x..x F5 external IP address is 172.x.x.x towards firewall. Firewall external IP address will be external IP's Firewall internal IP address will be internal IP's.