Ed_26015
Dec 04, 2010Nimbostratus
Source routing with iRules
Hi all,
I hope you can help.
I have two interfaces on the F5 that connect back to a Cisco PIX again on different interfaces.
Topology is 10.130.4.1 & 10.130.32.1 for the PIX gateways and 10.130.4.10 & 10.130.32.10 for the F5.
Behind the F5 is a DMZ network and a Portal Network.
The DMZ network needs to route back through the 10.130.4.1 gateway whilst the Portal network needs to route back through the 10.130.32.1.
The portal has four other networks (10.130.52.0/24, 10.130.53.0/24, 10.130.54.0/24 & 10.130.55.0/24) which also need to route back through the 10.130.32.1 gateway.
I have setup a virtual server and iRule for this routing as well as a NAT for the 10.130.32.0/22 network to map to the Portal backend networks.
The iRule is;
when CLIENT_ACCEPTED {
set failed 0
if {[IP::addr [IP::client_addr] equals 10.130.52.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.53.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.54.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.55.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.8.0/22]}{
node 10.130.4.1
}
}
However his isn't routing correctly as the PIX logs show;
2010-12-04 14:02:35 Local4.Debug 172.25.x.x Dec 04 2010 14:02:36: %PIX-7-609001: Built local-host schools-portal:10.130.33.13
2010-12-04 14:02:35 Local4.Info 172.25.x.x Dec 04 2010 14:02:36: %PIX-6-302020: Built outbound ICMP connection for faddr 10.130.33.13/0 gaddr edjones-pc/1 laddr edjones-pc/1
2010-12-04 14:02:35 Local4.Alert 172.25.x.x Dec 04 2010 14:02:36: %PIX-1-106021: Deny ICMP reverse path check from edjones-pc to 10.130.55.10 on interface dmz-servers
I suspect the DMZ reverse path check failing means that the iRule and virtual server source routing isn't working correctly. The traffic is basically trying to be routed through the DMZ gateway (10.130.4.1).
Please can you tell me how to get these iRules working so that I can connect to the backend networks?
Cheers,
Ed