Forum Discussion

George_33482's avatar
George_33482
Icon for Nimbostratus rankNimbostratus
Dec 14, 2011

Snat on the egress interface + vpn connection

Hi all,

 

 

I have a LTM + LC and i am load balancing 2 ISP, and i have ASA (behind LC) which terminate a VPN. I want to perform Snat on the egres interface on the F5. Using automap do not help since i have to do natting of the ASA internal ip address to the public ip address (peer address that the remote vpn device use).

 

 

I created a wildcard VS with wildcard port and do automap on the internal vlan (for browsing).

 

I created a wildcard VS with port 500 and another with 4500 mapped to internal vlan (for vpn), here i want to do snating to an ip address if the packet leave external vlan 1 and snatting to another ip address if the it leave external vlan 2. (This the same concept as automap but i want to put the address i want).

 

 

If the VPN is initiated from outside i created a vs with an ip address (peer address of vpn) port 500 and 4500 on the external vlan 1 and external vlan 2, which is the same ip address(es) i did snatted before.

 

 

 

 

I hope this concept is ok.

 

 

Anyway, kindly can anyone have an irule that do snating on a specific ip address based on the egress interface.

 

 

Thank you in advance

 

Regards,

 

George

 

 

config
design

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2011
    Hi George,

     

     

    You can check the VLAN ID using LINK::vlan_id:

     

     

    http://devcentral.f5.com/wiki/iRules.link.ashx

     

     

    Can you post a simple diagram with sample VLANs and IP addresses for this scenario? There might be a simpler way to configure SNAT than hardcoding the VLAN ID in an iRule.

     

     

    Aaron
  • HW_36020's avatar
    HW_36020
    Icon for Nimbostratus rankNimbostratus
    Dec 14, 2011
    George

     

     

    I have done something similar with a IpSec tunnel on my new v11 LTM that terminates the IPSec VPN and have another LTM behind it that NATS the traffic before it enters the tunnel. The way I have done this is created a VS on my downstream LTM that listens for the traffic on x.x.x.x:any with a custom SNAT pool.The custom SNAT pool ( ISP1_outbound) only contains the NAT address y.y.y.y for egress to the IPSec tunnel on my upstream LTM. This forces the traffic to be NAT'ed before it hits the upstream LTM and enters the tunnel so that the tunnel knows it is to be sent to the opposite peer gateway using ESP.

     

     

    hope this helps.

     

     

  • George_33482's avatar
    George_33482
    Icon for Nimbostratus rankNimbostratus
    Dec 15, 2011
    Hello Guys,

     

     

    Thank you for your reply.

     

     

    Maybe i over explained my self, but actually all what i want now is to SNAT to an ip address in the subnet of external vlan 1 (connected to router1 )and SNAT to an ip an address in the subnet of external vlan2(connected to router2) depending on the link that LTM will load balance on. This is because i have a ASA and i want to snat its ip to public ip address that is the peer address of the vpn .

     

    Most probably it is an irule and don't know how to write it.

     

     

    I don't know why simple concept gets very complicated to configure in F5.

     

     

     

    Regards,

     

    George
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 20, 2011
    is it similar to this? if yes, please make sure you add route for nated address back to f5 at cisco asa.

    please let me know if i misunderstood your question. 

    [root@ve1023:Active] config  b self list
self 172.28.19.80 {
   netmask 255.255.255.0
   vlan external
   allow default
}
self 200.200.200.10 {
   netmask 255.255.255.0
   vlan internal
   allow default
}
[root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination any:any
   mask 0.0.0.0
   ip protocol 6
   rules myrule
}
[root@ve1023:Active] config  b pool foo list
pool foo {
   members {
      172.28.19.253:any {}
      172.28.19.254:any {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when LB_SELECTED {
        if {[LB::server addr] equals "172.28.19.254"} {
                snat 1.1.1.1
        } else {
                snat 2.2.2.2
        }
}
}

1.1.1.1 is used when 172.28.19.254 is selected.

[root@ve1023:Active] config  tcpdump -e -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
13:19:20.719522 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 78: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49654 > 8.8.8.8.80: S 1754565966:1754565966(0) win 5840 
13:19:20.719571 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 82: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49654: S 1646625070:1646625070(0) ack 1754565967 win 4380 
13:19:20.720493 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49654 > 8.8.8.8.80: . ack 1 win 46 
13:19:20.720561 00:50:56:b3:00:b5 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 1.1.1.1.49654 > 8.8.8.8.80: S 1628743767:1628743767(0) win 4380 
13:19:20.720567 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 219: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49654 > 8.8.8.8.80: P 1:150(149) ack 1 win 46 
13:19:20.820337 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49654: . ack 150 win 4529 
13:19:23.720497 00:50:56:b3:00:b5 > 00:01:e8:d5:d4:47, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 1.1.1.1.49654 > 8.8.8.8.80: S 1628743767:1628743767(0) win 4380 

2.2.2.2 is used when 172.28.19.253 is selected.

[root@ve1023:Active] config  tcpdump -e -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes

13:19:33.969451 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 78: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49655 > 8.8.8.8.80: S 616950208:616950208(0) win 5840 
13:19:33.969477 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 82: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49655: S 720591584:720591584(0) ack 616950209 win 4380 
13:19:33.970379 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49655 > 8.8.8.8.80: . ack 1 win 46 
13:19:33.970424 00:50:56:b3:00:b5 > 00:50:56:b3:03:7f, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 2.2.2.2.49655 > 8.8.8.8.80: S 3355095084:3355095084(0) win 4380 
13:19:33.970427 00:50:56:b3:01:0b > 00:50:56:b3:01:0a, ethertype 802.1Q (0x8100), length 219: vlan 4093, p 0, ethertype IPv4, 200.200.200.101.49655 > 8.8.8.8.80: P 1:150(149) ack 1 win 46 
13:19:34.070257 00:50:56:b3:01:0a > 00:50:56:b3:01:0b, ethertype 802.1Q (0x8100), length 70: vlan 4093, p 0, ethertype IPv4, 8.8.8.8.80 > 200.200.200.101.49655: . ack 150 win 4529 
13:19:36.970404 00:50:56:b3:00:b5 > 00:50:56:b3:03:7f, ethertype 802.1Q (0x8100), length 82: vlan 4094, p 0, ethertype IPv4, 2.2.2.2.49655 > 8.8.8.8.80: S 3355095084:3355095084(0) win 4380 

[root@ve1023:Active] config  b arp
ARP 172.28.19.253 - 00:50:56:B3:03:7F   VLAN external   expire 54s   resolved
ARP 172.28.19.254 - 00:01:E8:D5:D4:47   VLAN external   expire 274s   resolved
ARP 200.200.200.101 - 00:50:56:B3:01:0B   VLAN internal   expire 284s   resolved