For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jaddie_85451's avatar
jaddie_85451
Icon for Nimbostratus rankNimbostratus
Mar 19, 2014

Automap vs SNAT Pool on a Forwarding VS

Hello

 

I have set up a forwarding VS on the LTM, with the following configuration ltm virtual VLAN100-Forwarding { destination 0.0.0.0:any ip-forward mask any profiles { fastL4_stateless { } } snat automap translate-address disabled translate-port disabled vlans { LAN-VLAN100 } vlans-enabled

 

The issue I am having is when I associated a SNAT pool to this VS the servers that sit on this VLAN are no longer able to access the Internet, however automap works just fine. ltm snatpool my_SNAT-pool { members { 100.1.1.1 100.1.1.2 } My goal is to prevent port exhaustion; I have looked at using an iRule to attach to the VS like the one below or adding another self IP to the egress VLAN but the SNAT pool just seemed like a more cleaner approach when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 172.26.100.0/255.255.255.0] } {

 

snatpool my_SNAT-pool } }

 

Any thoughts or idea why this would not work? I have read the solution articles about attaching to a SNAT pool directly to a VS and don’t think I am missing anything obvious. Thanks

 

application delivery
design
LTM

5 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 19, 2014

    What is the self IP address that is used for outgoing traffic when SNAT automap is configured on the virtual server? It could be a routing issue where your SNAT pool addresses aren't being properly routed on your network. That's just one of the things it could be, but maybe the most likely.

     

    Your configuration looks fine.

     

  • jaddie_85451's avatar
    jaddie_85451
    Icon for Nimbostratus rankNimbostratus
    Mar 19, 2014

    Cory

     

    Thanks for your response

     

    The self-ip on the egress VLAN just uses a different last octet than the two indicated in the SNAT_pool,

     

    I have verified the routing and from what I can see all are correct.

     

    That is why I guess I am at a loss the config is not a complex one, but just looking to get another set of eyes or opinions on what it could be.

     

    Thanks again

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 19, 2014

    Another option could be access control on the network preventing the SNAT pool addresses from communicating out. If you do a tcpdump on your LTM, do you see any packets leaving sourced from the SNAT pool addresses?

     

    tcpdump -nni 0.0 host 100.1.1.1 or 100.1.1.2

     

  • jaddie_85451's avatar
    jaddie_85451
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2014

    Again Cory thank you for your response

     

    Ok I have completed some additional testing after gaining access to the server, if I use a SNAT pool with one IP (either of the two IP's mentioned) it works as expected, however if I add an additional IP to the pool I am no longer able to access the Internet from my browser.

     

    This would verify routing and access control..

     

    Any thoughts on why this would not work?

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Mar 21, 2014

    Nothing immediately comes to mind as a potential problem. Do you see any errors/warnings in /var/log/ltm that may indicate a problem?

     

    If not, try the tcpdump matching either of your SNAT pool IP addresses to see if the LTM is sending the traffic out as expected.