For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hung_105573's avatar
hung_105573
Icon for Nimbostratus rankNimbostratus
Jul 24, 2012

Can not Ping to internet from inside

Hi all

 

 

I'm a new F5 , i have config users from inside access internet

 

 

users--------F5---------internet (there are 3 line internet)

 

 

My config virtual servers

 

 

Destination : 0.0.0.0/0.0.0.0

 

Services port: All

 

Type:Performance layer 4

 

Protocol: ALL

 

VLAN and Tunnel Traffic :Internal

 

SNAT Pool :AutoMap

 

 

Default Pool:Default_GW_Pool

 

 

Default Persistence Profile:Dest_Addr

 

 

When i check , the users can not ping to internet , but can access telnet to ip public on internet

 

 

The problem was occur at some time , but when i haved restart all services , then anything is work good

 

 

could you help pls help me ?

 

 

How to use tcpdump to see the problem ?

 

 

Many thanks all

 

 

config
design

6 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 24, 2012
    How to use tcpdump to see the problem ?can you try this?

     

     

    to screen

     

    tcpdump -nni 0.0 host x.x.x.x

     

     

    to file

     

    tcpdump -i 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x

     

     

    x.x.x.x is destination ip
  • hung_105573's avatar
    hung_105573
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2012

    Hi

     

     

    I haved use tcpdump , and i saw F5 can not NAt source ip address when i ping a ip address on the internet

     

     

    ,but F5 has Nat source when i telnet to ip address on the internet

     

     

    but When i have command restart sys services all then anything work good

     

     

    could you pls help me ! ?

     

     

    thanks all

     

     

     

     

     

     

     

     

     

     

  • Cholito_15468's avatar
    Cholito_15468
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2012
    Hi, you have block udp for SNAT

     

     

    Permit all protocols on SNAT, configure Snat on

     

    System => LTM => General (Snat change tcp at all protocol)

     

     

  • hung_105573's avatar
    hung_105573
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2012
    Posted By Cholito on 07/24/2012 08:40 PM

     

    Hi, you have block udp for SNAT

     

     

    Permit all protocols on SNAT, configure Snat on

     

    System => LTM => General (Snat change tcp at all protocol)

     

     

    Hi

     

    I had change SNAT from SYS--->Config--->Local Traffic---->General

     

     

    change SNAT Packet Forwarding from TCP and UDP only to ALL Traffic but it still have problem so .

     

     

    But when I enabled ARP on virtual address 0.0.0.0 then ping work good! but can not see NAT source address .

     

     

    Many thanks

     

     

     

     

     

     

     

     

     

  • hung_105573's avatar
    hung_105573
    Icon for Nimbostratus rankNimbostratus
    Jul 25, 2012

    hi all

     

     

    In this case , should i config enable ARP in Virtual server 0.0.0.0 ?

     

     

    Could you pls give me a advise ?

     

     

    and I have case , I haved delete virtual server for incoming traffic server in inside and create again the same config before then It work , I didn't know why ?

     

    Could you pls help me ?

     

     

    thanks all !