Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 31, 2016

VIP targeting VIP, preserve src and dst IP

Hi,

 

I tried everything and nothing worked :-(. I am running out of ideas, so either I am doing something wrong or what I need is not possible.

 

Idea is to have setup like that:

 

client -> explicit forward proxy type VS -> ForwardIP type VS -> target server

 

I tried plenty of combinations to pass traffic from forward proxy VS to ForwardIP VS but all failed - virtual, nexthop with snat none, translate addr disable etc.

 

I need to pass traffic after forward proxy VS resolves destination server from proxy request to ForwardIP server. This is my idea to be able to use AFM rules to enforce limitation os src IP:port, dst IP:port (L4 rules).

 

I know that it's possible to use APM ACLs but this is not very elegant and admin friendly solution :-(

 

Everything is failing when I try to pass traffic to ForwardIP VS.

 

When virtual command is used dst IP is changed to ForwardIP VS or (when wildcard VS is used) to nothing. But at least traffic is reaching ForwardIP VS.

 

When nexthop is used traffic is never reaching ForwardIP VS.

 

When nexthop with tunnel specified (tcp forward type on which ForwardIP VS is enabled) immediately I have port exhaustion message in LTM log.

 

Is there any way to achieve what I need or it's plain impossible?

 

Piotr

 

No RepliesBe the first to reply