Can't ping from Internal Vlan to Internet ?

Question

Hi all.  
&nbsp; I have a box BIG-IP LTM (with license both of LTM &amp; LinkController ).  
&nbsp; I have 2 ADSL as:  
&nbsp; ---------------- ------------------  
&nbsp; - 203.162.0.1 - - 210.245.0.1 -  
&nbsp; ---------------- ------------------  
&nbsp; |                                |  
&nbsp; |                                |  
&nbsp; |                                |  
&nbsp; ---------------------------------------------------  
&nbsp; - 203.162.0.4 210.245.0.4 -  
&nbsp; - F5 LTM -  
&nbsp; - 172.16.1.1  
&nbsp; ---------------------------------------------------  
&nbsp; |  
&nbsp; ASA 5550  
&nbsp; |  
&nbsp; |  
&nbsp; Clients  
&nbsp; -------------------------------------------------  
&nbsp; This diagram need to do these:  
&nbsp; 1.       Link Controler help me domain name for application: mail, web, vpn name.  
&nbsp; 2.       VPN site-to-site from Internet (Cisco Router) to ASA (Vir 203.162.0.7; Vir210.245.0.7).  
&nbsp; 3.       SSL VPN, Ipsec VPN from Internet to ASA (Vir 203.162.0.7)  
&nbsp; 4.       Loadbalance for http, smtp protocol to DMZ server. (Vir 203.162.0.5, 2; Vir210.245.0.5)  
&nbsp; 5.       Client from Internal vlan can go to Internet by 2 ADSL line  
&nbsp; And the IP forwarding for ASA to outbound with SNAT. SNAT make BIG-IP choose correct gate-way to go out. SNAT enable in internal vlan.  
&nbsp;   
&nbsp; Default-gateway of BIG-IP is pool (203.162.0.1; 210.245.0.1) .  
&nbsp; And these are the value for varialbe.  
&nbsp; Box  
&nbsp; F5LTM 3400-01  
&nbsp; Tham số  
&nbsp; Giá trị  
&nbsp; VLANs  
&nbsp; ExtLeaseline1  
&nbsp; ExtLeaseline2   
&nbsp; Internal  
&nbsp; Self IPs  
&nbsp; ExtLeaseline1: 203.162.0.2/28  FloadingIP: 203.162.0.1  
&nbsp; ExtLeaseline2: 210.245.0.2/28  FloadingIP: 210.245.0.1  
&nbsp; Internal: 172.30.1.4/24   FloadingIP: 172.30.1.3  
&nbsp; A default Gateway pool  
&nbsp; Pool with member  
&nbsp; 203.162.0.1  
&nbsp; 210.245.0.1  
&nbsp; Links  
&nbsp; Primary:  203.162.0.1  
&nbsp; Secondary:  210.245.0.1  
&nbsp; Outbound SNAT  
&nbsp; Snat_ Automap with InternetVlan  
&nbsp; Pool  
&nbsp; • Pool_Web    Member:  172.30.1.6 (172.30.1.6 is Nat ip address of ASA for Web server)  
&nbsp; • Pool_Mail     Member: 172.30.1.7 (172.30.1.7 Nat ip address of ASA for MailServer)  
&nbsp; • Pool_VPN    Member: 172.30.1.1  
&nbsp; • Pool_Router  Member: 203.162.0.4; 210.245.0.4  
&nbsp; Virtual Servers  
&nbsp; • VS_Web1: 203.162.0.5 (80) Pool: Pool_Web  
&nbsp; • VS_Web2: 210.245.0.5 (80) Pool: Pool_Web  
&nbsp; • VS_Mail: 203.162.0.6 (*) Pool: Pool_Mail  
&nbsp; • VS_VPN: 203.162.0.7 (*) Pool: Pool_VPN  
&nbsp; Listeners  
&nbsp; ListernerOutbound1: 203.162.0.1  
&nbsp; ListernerOutbound2: 210.245.0.1  
&nbsp; Wide IPs  
&nbsp; • www.baoviet.com.vn  
&nbsp; o Member: VS_Web1, VS_Web2.  
&nbsp; • mail.baoviet.com.vn  
&nbsp; o Member: VS_Mail.  
&nbsp; • vpn.baoviet.com.vn  
&nbsp; o Member: VS_VPN.  
&nbsp; Outbound VS  
&nbsp; • VS_Outbound: 0.0.0.0  
&nbsp; o IP Forwarding  
&nbsp; o Lasthop Pool: Pool_Outbound  
&nbsp; Could you tell me this config is correct for boxF5 ?  
&nbsp; When I configed this, I ‘ve checked it okia. But Client from Internal, or ASA can’t ping to Internet (they still telnet, or access Web...). I check SOL9616 solution from ask f5 and upgrade my box to ver 9.4.7 but it still can't ping to Internet.  
&nbsp; Could you help me, plz  
&nbsp; Thanks &amp; Regards

hoolio · Answer

Do you have VS_Outbound set for all protocols?  Also, if the ICMP is going through a SNAT, you'll need to enable all protocols for SNAT as well.  You can see SOL7366 for details: 
&nbsp;  
&nbsp; SOL7366: Configuring the BIG-IP LTM to pass ICMP traffic   
&nbsp; https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7366.html 
&nbsp;  
&nbsp; Aaron

tranchungdt5_93 · Answer

Thank you very much. 
&nbsp; I have fixed it with SNAT with all traffic. 
&nbsp; Thank you again. 
&nbsp; And, could you help me with solution "how to choose the gateway router to go out  if I have 4 ADSL gateways". Example, with Mail, Web, I choose Leaseline Internet, and others I choose 4ADSL Internets. 
&nbsp; Help me, plz 
&nbsp; Thanks

hoolio · Answer

If you want to select a different gateway (or gateway pool) for different protocols, it would be easiest to create a separate pool for each gateway and then create separate virtual servers (0.0.0.0:80, 0.0.0.0:443, 0.0.0.0:25, etc) for each protocol which points at the relevant pool.  Make sure to enable the wildcard virtual servers only on the VLANs which you want to accept traffic from.  You probably don't want to have the VIPs enabled on the external VLAN or any other which is connected to an untrusted subnet. 
&nbsp;  
&nbsp; Aaron

tranchungdt5_93 · Answer

Thank you for reply my answer. 
&nbsp; With "How to choose the gateway to go out", I have to config to choose the gateway with ip of client. With ip of DMZ server, F5 box choose gateway LeaseLine, with ips of Internet Client, F5 choose gateway ADSL.  
&nbsp; Could I use I-rule for Virtual IP Forwarding to choose the ADSL pool or Leaseline pool ? 
&nbsp; And if I use Virtual Wildcard Server 0.0.0.0 (UDP&amp;TCP) with pool is Leaseline pool. I don't know it different from Virtual IP Forwarding or not ? Because when I replace  Virtual Wildcard Server 0.0.0.0 with Virtual IP Forwarding, F5 box still work okia. 
&nbsp; Could you help me understand more ? 
&nbsp; Thanks alot 
&nbsp; Tran Chung

hoolio · Answer

Yes, you could use an iRule to select a pool based on the client IP address.  Here is an example from cmbhatt: 
&nbsp;  
&nbsp; Select specific Node based on incoming src IP 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;forumid=5&amp;tpage=1&amp;view=topic&amp;postid=3315733175 
&nbsp;  
&nbsp; You can use matchclass (Click here) to check the client IP address against an address type datagroup with one or more hosts/subnets.  Or to compare the client iP address against a single IP address or subnet, you can use IP::addr  (Click here). 
&nbsp;  
&nbsp; It would be easier to configure the virtual server to select the pool based on the VLAN the client connects to the VIP from.  If you could do that, you could just have one VIP per incoming VLAN and not bother with an iRule. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Can't ping from Internal Vlan to Internet ?

7 Replies

Recent Discussions

Limit connection per VS and redirect user

APM and Datasafe

Why I could not post a comment

F5 ASM/AWAF – violations logged but no learning suggestions generated

Catch Dynamic CRL Errors and Return Friendly Page

Related Content

Automating F5 Licensing - without direct internet access

Protect an application exposed on Internet with F5 XC WAAP

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Unbreaking the Internet and Converting Protocols

Internet of Food

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS