Forum Discussion

mrugal's avatar
mrugal
Icon for Nimbostratus rankNimbostratus
Sep 18, 2020

SSH access to web server behind LTM

Hello,

I'm new to f5 products and I deployed simple topology in EVE-NG virtual environment.

My home lan acts as Internet and my topology looks like this:

Internet --- BigIP LTM --- WebServers

Internet = 192.168.1.0/24, InsideLAN with WebServers = 10.2.0.0/24

I want to access my servers via ssh from Internet side but how to do that. On Cisco device I would be able to do that with NAT but in f5 I have blackout.

 

5 Replies

  • This is very simple, assuming you have already configured your VLANs on F5, you'll need to create a standard VS listening on an IP address (destination address parameter) on the Internet VLAN and port 22.

    The VS will automatically do the NAT for you, however if F5 is not configured as the gateway of your web servers, you'll need to configure it with the parameter source address translation set to automap.

    Everything else keep it to the default value except if you have other specific requirements.

     

    • mrugal's avatar
      mrugal
      Icon for Nimbostratus rankNimbostratus

      My web servers are based CentOS with gateway set to 10.2.0.145 and this is f5 internal port. VLANs are configured... I think they are. SSH services are running. I can ssh to them from f5 cli.

      If I understand correctly your first scenario with gateways I tried this:

      How VS know where to forward traffic? Empty source field is auto filled with 0.0.0.0/0 and that means "from all sources/ip addresses", correct? NAT field stays like it is, "none". I tried also changing it with no luck. VPS is online, I can ping it and I checked port with nmap, it is opened.

       

      I tried also second scenario, with source field set to my web server IP address (10.2.0.11) and NAT set to "auto". My gateways on web servers are still set to f5 internal interface address 10.2.0.145. This scenarios seems to be more proper for me but still does not work. In this scenario port seems to be closed.

       

      I tried third scenario and I used:

      Type: Standard

      Source: 0.0.0.0/0

      Destination Address: 192.168.1.146

      Service Port: 22

       

      Source Address Translation: None

       

      Under "Resources" I set "Default Pool" to pool with my web server and ssh port and this scenario works. As you see I configured it like http service with web sites but i don't think this is best practice, right?

      Do you have idea what I do wrong. I think problem with is with my lacking knowledge on f5 field :)

      My LTM version is 11.6.0

  • You have also to assign a pool to your vs. You can create the pool in "Local traffic > pools", you specify in the pool the actual servers by their ip and port. Then to assign a pool to an existing vs, go to the resources tab of the vs.

    • mrugal's avatar
      mrugal
      Icon for Nimbostratus rankNimbostratus

      I did it in third scenario from my previous post and it works. It looks strange to me but maybe it is from my perspective :) I was searching for NAT config without pools. I have only little experience with Cisco IOS.

      Thanks for your help and guidance to solve my problem.

      • You can also have a NAT configuration without a pool and without a vs. It is under Local traffic > Address translation > NAT.

        In this case you loose main F5 functions and you just forward the traffic destined to the NAT address to the origin address.

        F5 needs to be in the route of client requests. You can configure the self ip as the gw of your client.