Forum Discussion

richcol_318407's avatar
richcol_318407
Icon for Nimbostratus rankNimbostratus
Apr 24, 2017

NAT for Internal Servers for Internet Access - Default Route

Hello. I am a newbie with LTM so please excuse any misunderstanding of the technologies. I am trying to setup Internet access via the F5 Big IPs and as I understand it need to use the Forwarding IP virtual server type along with SNAT. I have read a many of the posts on here I could find on this topic but cannot relate those specific setups to the problem I am having.

 

We have an internal pool of servers 192.168.1.192/27 on VLAN "f5_internal". These are already part of a pool and we have defined Virtual Servers for load balancing queries. However we also want these internal hosts to have their required internet access via the F5.

 

We have a default route installed in the F5 pointing at our connected core router. The hosts on subnet 192.168.1.192/27 have a default route pointing at the Internal Floating IP 192.168.1.192

 

The SNAT pool "SNAT_Pool_Internet_Access" is defined just as a public IP that we want the F5 to translate the outbound HTTP flows from the internal hosts to. All I have done is create the pool and enter this public IP in the member list.

 

So far I have made configuration chnages using the GUI and I have attached a screenshot of configuration form the GUI. The CLI conifguration is also listed below for the VIrtual Server.

 

The Virtual Server with name "SNAT_Internet_Access" has availabilty status "Unknown (Enabled) - The children pool member(s) either don't have service checking enabled, or service check results are not available yet"

 

Can anyone please advise if there is a problem with the configuration I've used? I've also tried using "Source Address Translation" type "Auto Map" just for testing purposes in the Forwarding IP Virtual Server configuration but get the same error/virtual server status.

 

ltm virtual SNAT_Internet_Access { address-status no description "Source NAT Internet Access - Proxy Server Originated" destination 0.0.0.0:http ip-forward ip-protocol tcp mask any profiles { fastL4 { } } source 192.168.1.192/27 source-address-translation { pool SNAT_Pool_Internet_Access type snat } translate-address disabled translate-port disabled vlans { f5_internal } vlans-enabled vs-index 6 }

 

 

application delivery
LTM

4 Replies

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Apr 24, 2017

    192.168.1.192 is the network address, and you are using as default gateway as well. You need to change that.

    The unknown status is correct because the virtual server has no pool. A forward IP virtual server does not have pool.

    Your configuration is correct, just a forward IP virtual server, with 0.0.0.0 as destination. You could have port 80 to limit to HTTP traffic as you have, or you could have 0 (all ports) to allow all traffic. Also, as you have the source address can be limited to the source network only. If you have all ports, you could then limit the ports in a firewall in the path to the internet or AFM if you have license.

    You can use the snat pool in the virtual server configuration, or snat auto map in case you want to use the F5 self IP.

    I use similar configuration in my lab (with auto map), to provide access to the backend servers that are behind the F5:

    root@(LABBIGIP1)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual vs_internet
ltm virtual vs_internet {
    destination 0.0.0.0:any
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    source 172.16.0.0/24
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 30
}

    I am using 13.0.0 in my lab, but this configuration work in your version for sure.

    Your configuration should work, just change the F5 IP and default gateway IPs in the servers.

  • richcol_318407's avatar
    richcol_318407
    Icon for Nimbostratus rankNimbostratus
    Apr 24, 2017

    Hi Leonardo. Many thanks for your response. I've just spotted the copy/paste error I've made - so the default gateway on the servers is actually set as 192.168.1.220 and not 192.168.1.192 as I originally posted. Sorry for that. Good to see that my configuration looks correct but puzzled as to why the servers cannot route out...

     

    On the F5 we are using a default route learned via BGP from the upstream router. Does this all look correct to you? (dummy IPs used)

     

    slb-1[0]show ip route B* 0.0.0.0/0 [20/0] via 10.10.10.2, f5_ext_vrf, 00:00:14

     

    admin@(slb-1)(cfg-sync In Sync)(Active)(/Common)(tmos) show /net route

    Net::Routes

     

    Name Destination Type NextHop Origin

    10.10.10.0/28 10.10.10.0/28 interface /Common/f5_ext_vrf connected .... default default gw 10.10.10.2 dynamic

     

    Appreciate your help.

     

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Apr 24, 2017

    How the device learn the default gateway should not be a problem. I am assuming you are not using route domains.

     

    How the servers query DNS stuff? You are only doing port 80, so this virtual server will not pass DNS.

     

    Can you take a packet capture and check what is happening? Basically, we need to understand if the traffic is reaching the F5, and if yes, where is stopping.

     

    Check this solution for tcpdump:

     

    https://support.f5.com/csp/article/K411

     

    Check if you need to disable PVA, this solution explains why:

     

    https://support.f5.com/csp/article/K6546