Configuring PAT rule for just one source port

Question

Hi,&nbsp;
I'm quite new to F5 Big-IP's, so please excuse any ignorance :)&nbsp;
We have a virtual server (Big-IP v11.5.4) which is configured for port translation for port * --&gt; port 8000. The pool members are configured with serviceport 8000.
Besides this we've configured an iRule which drops all traffic which is not on port 80 or port 8000, resulting in port forwarding 80 to 8000, and leaving 8000 untouched.&nbsp;
However, if I'd like to use port 22, traffic will be dropped (and without the iRule; port 22 would be translated to port 8000).&nbsp;
This feels like the current configuration is too brute, and it could be configured better. However, searching for port address translation on Big-IP's did not help me much further.&nbsp;
Is it possible to configure port forwarding only for port 80? And leave all other ports 'untranslated'?&nbsp;
Thanks in advance!&nbsp;
Kind regards,&nbsp;
Sander&nbsp;

hannes_rapp · Answer

Is it possible to configure port forwarding only for port 80? And leave all other ports 'untranslated'?
It sure is possible (even without any iRules).

You will need one Virtual Server which listens on

* (any)

port, and a pool where all members are also listening on

* (any)

port. In that case, original destination port number is retained on the server-side. For security purpose, it is recommended that you apply some kind of whitelisting and accept only certain ports that are relevant for the use of application. Whether you do the whitelisting inside BigIP, or in another device does not matter much

For your port translation from 80 to 8000, you have two options. Either use an iRule on the same wildcard VS for conditional port-address translation; or go for a second option which I consider to be much better - a second VS which listens on the same IP, but on port 80 (pool members on port 8000).

BigIP will give request to a VS which is a closer-match. This will ensure the incoming TCP/80 requests are not processed by the wildcard VS, instead, they are processed by the closer-match VS which listens on port TCP/80.
If the number of relevant port numbers you want to accept is less than 10, I would advise you to just create all the relevant Virtual Servers, one VS per client-side port you want to accept. It's a one-time effort that will pay off. That way you will not have to worry about managing L4 whitelist.
Regards,

hannes_rapp_162 · Answer

Is it possible to configure port forwarding only for port 80? And leave all other ports 'untranslated'?
It sure is possible (even without any iRules).

You will need one Virtual Server which listens on

* (any)

port, and a pool where all members are also listening on

* (any)

port. In that case, original destination port number is retained on the server-side. For security purpose, it is recommended that you apply some kind of whitelisting and accept only certain ports that are relevant for the use of application. Whether you do the whitelisting inside BigIP, or in another device does not matter much

For your port translation from 80 to 8000, you have two options. Either use an iRule on the same wildcard VS for conditional port-address translation; or go for a second option which I consider to be much better - a second VS which listens on the same IP, but on port 80 (pool members on port 8000).

BigIP will give request to a VS which is a closer-match. This will ensure the incoming TCP/80 requests are not processed by the wildcard VS, instead, they are processed by the closer-match VS which listens on port TCP/80.
If the number of relevant port numbers you want to accept is less than 10, I would advise you to just create all the relevant Virtual Servers, one VS per client-side port you want to accept. It's a one-time effort that will pay off. That way you will not have to worry about managing L4 whitelist.
Regards,

_sander_ · Answer

Hi Hannes,

I was not able to make the port address translation work using a second VS on the same IP with port 80 configured, however I was able to configure the port address translation using an iRule and your instructions above.

Thanks for your answer!

Kind regards,

Sander

_sander_ · Answer

Hi Hannes,

I was not able to make the port address translation work using a second VS on the same IP with port 80 configured, however I was able to configure the port address translation using an iRule and your instructions above.

Thanks for your answer!

Kind regards,

Sander

Forum Discussion

Configuring PAT rule for just one source port

4 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Configuring BIG-IP AFM firewall policies and rules with Ansible

No Source configuration available when upgrading from 15.1.9.1 to 15.1.10.2

LTM Cipher rule

Getting Started with BIG-IP Next: Configuring Instance High Availability