Forum Discussion

Harish_Babu's avatar
Harish_Babu
Icon for Nimbostratus rankNimbostratus
Dec 08, 2023

F5 AFM Source / Destination NAT

Hello Team
 
We are having F5 DNS+AFM, the DNS configured as a transparent cache with DoS and access rules in place, diagram provided for better understanding of the setup.
 
 
We want to enable NAT (1:1) from inside to outside and from outside to inside. The configuration is done by following the article below.
 
 
The AFM is in firewall mode.
 
When we do a 'show net packet-tester security' we can see UDP and ICMP getting translated, but TCP is dropped (output attached), provided below. On the firewall log we can see the traffic is translated and forwarded, but no response.
 
Support and guidance is much appreciated.
 
Regards
Harish Babu
security

5 Replies

Sort By
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Dec 08, 2023

    Hi Harish_Babu , 

    While the transulation hasn't happened for TCP and the Bigip AFM ACL Allow this for TCP .... let we suspect the issue in the forwarding Virtual server >> it works for ( ICMP and UDP ) but TCP not.

    maybe this is an issue because all tcp traffic distributed accross all tmms from single IP which is not the proper thing for TCP ( connection-oriented ) so we need to make tcp sessions to be handled accross single tmm per user. 

    So open Vlan ( Src Vlan /Common/INTERNAL_VLAN ) >>> switch ( Configuration to advanced instead od basic ) >>> change CMP-Hash ( from default to source address ) if not worked change it to ( source and destination and port ). 

    If not worked. 
    Take a packet capture for sample ip using this command : 

     

    tcpdump -vvnni 0.0:nnnp host <src_IP> -s0 -vw /var/tmp/Test_tcp.pcap

     

     and let me have a look. 

    Another approach: 

    Can you run this test of udp and tcp on packet tester on gui as well >>> I need you to detect the policy and rule name which allowed this connection. 

    you are using only one policy in global context with " allow decisively " action , is that correct ?

     

  • Harish_Babu's avatar
    Harish_Babu
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2023

    Hello Mohamed Kansoh

    I’m thankful for your reply.

    Unfortuantly the CMP-Hash did not make any diffrence.

    In the packet-tester, we can see the traffic is dropped by the VS (missing flow).

    In the packet capture we can see only sync, attached same for your reference.

    We tried the policy on both VS and Global.

    Regards

    Harish Babu

    • Mohamed_Ahmed_Kansoh's avatar
      Mohamed_Ahmed_Kansoh
      Icon for MVP rankMVP
      Dec 12, 2023

      Okay Harish_Babu , 

      - why dns udp requesting timeout ? in the last snap shot ? 

      - Are you sure you have attached the NAT policy to "Forward_VS" ? 
      it's strange why bigip doesn't perform NATing after receiving SYN ! 

      - Create a global policy which allows ( UDP port 53 / TCP port 443 , ssh ) traffic  , with Action " accept decisively " , to prevent further checks on virtual server context ? 
      this is just for testing >> 
      make sure that in the FW mode options ( Virtual server / selfip context ) is set to accept not drop.

      -Are you sure you have changed the CMP-Hash to source address in Vlan Tag 300 ( which is the ingress Vlan for traffic directed to forward_VS ) 

      - Check this article for ingress drops : https://my.f5.com/manage/s/article/K10191

      let me know the updates 

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Dec 14, 2023

     

    To add to Mohamed_Ahmed_Kansoh  suggestions.

     

    Better have 3 forwarding virtual server 1 for TCP , 1 For UDP and 1 for TCP then investigate. See the article https://my.f5.com/manage/s/article/K5867 for ICMP only virtual.

     

     

    Also the DNS part do you have a listener of UDP DNS and one for TCP DNS ? Is there any F5 DNS Firewall that the AFM has that can filter the TCP?

     

    Also see if have asymetric routing as TCP can have issue with this https://my.f5.com/manage/s/article/K13558

     

  • Harish_Babu's avatar
    Harish_Babu
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2024

    Hello Mohamed_Ahmed_Kansoh & Nikoolayy1

    Thank you very much for the support.

    The issue is solved, we changed the NAT IP to a new subnet and it started working with a single wildcard VS.

    I have a doubt on the firewall policy, when we apply firewall policy on the VS it's working fine but when we apply the same rule on the global it's not working. However when we apply a deny policy on global, its working. Please let me know if I am missing something.

    Regards

    Harish Babu