ICMP and the Forwarding Virtual Server

Hi All,

 

 

Currently we have a forwarding virtual server set up that will forward along anything to any address on the vlans it is enabled on;

 

 

virtual ReplaceNat {

 

ip forward

 

destination any:any

 

mask none

 

vlans VLAN1115

 

VLAN1116 enable

 

}

 

 

Security-wise, that's a bit too open for comfort, so we're replacing it with a set of more service-specific forwarding virtual servers, like this one for ssh;

 

 

virtual SshWildCard {

 

translate service disable

 

ip forward

 

destination any:ssh

 

mask none

 

ip protocol tcp

 

vlans VLAN1115

 

VLAN1116 enable

 

profiles fastL4

 

}

 

 

This has gone well for the most part, until the time comes to disable the initial forwarding virtual server--"ReplaceNat"--at which point a third party monitoring server starts complaining that it can no longer ping the servers behind the load-balancer.

 

 

Obviously, the ReplaceNat forwarding virtual server is allowing icmp traffic and the more specific forwarding virtual servers are not. Is there a way to either set up a forwarding virtual server for just icmp traffic, either by creating a new virtual server, or adding a iRule to ReplaceNat so that all traffic other than icmp is blocked there?

 

 

Thanks,

 

 

Sid