forwarding/nat/snat help

Question

hi, i've been scouring the documentation and forums but have had no success solving my problem.  basically the issue is that we have an application that is very picky about incoming packets as a denial of service prevention precaution.  as far as i can see if the packet is changed/translated/etc at all it will be rejected. 
&nbsp;  
&nbsp; i can set this up with a one-to-one nat on our checkpoint firewall and it works wonderfully, however when i create a nat pool on our f5 (yes the node's default gateway is the f5) it rejects the traffic.  i know it's the application because i can setup a plain vanilla vlan for forwarding ms remote desktop and it functions fine. 
&nbsp;  
&nbsp; so far i've tried a single nat (everything else but this app works), all types of snats, and tinkered with ip forwarding a bit, which i had no luck with. 
&nbsp;  
&nbsp; any help you guys could offer would be greatly appreciated.  thanks!

hooleylist · Answer

Are you trying to load balance this traffic?  What protocol is the application using?  Does the application need to initiate its own connections back to the client? 
&nbsp;  
&nbsp; I'm guessing a Performance layer4 VIP with a FastL4 profile without SNAT on the virtual server might work. 
&nbsp;  
&nbsp; Aaron

nik · Answer

Posted By hoolio  on  07/01/2009 12:28 AM 
&nbsp; Are you trying to load balance this traffic?  What protocol is the application using?  Does the application need to initiate its own connections back to the client?  
&nbsp; I'm guessing a Performance layer4 VIP with a FastL4 profile without SNAT on the virtual server might work.  
&nbsp; Aaron&nbsp; 
&nbsp;  
&nbsp; it's a protocol proprietary to this application, but would the protocol matter at all?  i want to forward packets without analyzing/parsing/changing them at all.  this is why i had mentioned that we have succeeded in doing this through checkpoint. 
&nbsp;  
&nbsp; as far as connections - the client initiates the starting handshake and makes all requests after.  there is a socket that's kept open but the server itself never makes an initial request to the client.  i have tried making a snat for this particular machine but that didn't seem to do anything. 
&nbsp;  
&nbsp; fastl4 + performance layer4 + address/port translation + no snat works for *everything else* i can throw at it (msrdp, http, etc) but not this protocol.

hooleylist · Answer

I was wondering what protocol it was to determine whether the server might be initiating connections.  If so, a single VS probably couldn't have worked.   
&nbsp;  
&nbsp; I'm not sure what would be different between a NAT on your checkpoint versus a PerfL4 VS with address/port translation enabled and no SNAT.  Maybe it's the port translation?  Do you have the VS defined on a different port than the server? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

forwarding/nat/snat help

3 Replies

Recent Discussions

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

google autenticator broken barcode

Related Content

LTM: Configuring IP Forwarding

Re: F5 SMTP Fast Template - SNAT Not working as expected

Route domain SNAT and NAT implementation

BIG-IP integration with Azure Gateway Load Balancer

Re: Bypass VIP NATed traffic and hit the node directly. LTM