Forum Discussion

PeterRamage_314's avatar
PeterRamage_314
Icon for Nimbostratus rankNimbostratus
Nov 20, 2017

Source NAT on VS restricting to specific interfaces only.

Hi,

 

I have a BIG-IP with a bunch of interfaces, external, 10 x internal ones & a mgmt. I use an ip forwarding VS with SNAT to get out to the internet from the internal interfaces with a public NAT. However I want to route directly between the internal interfaces and the mgmt interface without NAT. I have added the relevant routing ok but the issue I have is that the F5 NATs the traffic to the mgmt network with the external ip.

 

I tried adding it a more specific forwarding VS from the internal interfaces to the mgmt interface but it broke the outbound one. Is there a way to have a SNAT VS from a source of subnet (which includes all the internal interfaces subnets) to a dest of 0.0.0.0/0 but for it to exclude the traffic destined for the mgmt interface.

 

NOTE THIS IS NOT THE F5 mgmt interface it's just called 'mgmt'

 

Thanks Pete.

 

application delivery
BIG-IP
LTM

1 Reply

Sort By
  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Nov 20, 2017

    You have to configure a forward virtual server with 0.0.0.0, and a more specific with the mgmt network as destination. Make sure you enable the virtual servers only in the internal networks.

     

    This solution explains how the precedence works for virtual servers:

     

    https://support.f5.com/csp/article/K14800

     

    Just to provide the complete picture, this one explains all listeners:

     

    https://support.f5.com/csp/article/K9038

     

    You said you tried to create a more specific virtual server, and did not work. Review the solutions and try again. Post the configuration of your virtual servers here in the case does not work.