Forum Discussion
tranchungdt5_93
Nimbostratus
NimbostratusCan't ping from Internal Vlan to Internet ?
Hi all.
I have a box BIG-IP LTM (with license both of LTM & LinkController ).
I have 2 ADSL as:
---------------- ------------------
- 203.162.0.1 - - 210.245.0.1 -
---------------- ------------------
| |
| |
| |
---------------------------------------------------
- 203.162.0.4 210.245.0.4 -
- F5 LTM -
- 172.16.1.1
---------------------------------------------------
|
ASA 5550
|
|
Clients
-------------------------------------------------
This diagram need to do these:
1. Link Controler help me domain name for application: mail, web, vpn name.
2. VPN site-to-site from Internet (Cisco Router) to ASA (Vir 203.162.0.7; Vir210.245.0.7).
3. SSL VPN, Ipsec VPN from Internet to ASA (Vir 203.162.0.7)
4. Loadbalance for http, smtp protocol to DMZ server. (Vir 203.162.0.5, 2; Vir210.245.0.5)
5. Client from Internal vlan can go to Internet by 2 ADSL line
And the IP forwarding for ASA to outbound with SNAT. SNAT make BIG-IP choose correct gate-way to go out. SNAT enable in internal vlan.
Default-gateway of BIG-IP is pool (203.162.0.1; 210.245.0.1) .
And these are the value for varialbe.
Box
F5LTM 3400-01
Tham số
Giá trị
VLANs
ExtLeaseline1
ExtLeaseline2
Internal
Self IPs
ExtLeaseline1: 203.162.0.2/28 FloadingIP: 203.162.0.1
ExtLeaseline2: 210.245.0.2/28 FloadingIP: 210.245.0.1
Internal: 172.30.1.4/24 FloadingIP: 172.30.1.3
A default Gateway pool
Pool with member
203.162.0.1
210.245.0.1
Links
Primary: 203.162.0.1
Secondary: 210.245.0.1
Outbound SNAT
Snat_ Automap with InternetVlan
Pool
• Pool_Web Member: 172.30.1.6 (172.30.1.6 is Nat ip address of ASA for Web server)
• Pool_Mail Member: 172.30.1.7 (172.30.1.7 Nat ip address of ASA for MailServer)
• Pool_VPN Member: 172.30.1.1
• Pool_Router Member: 203.162.0.4; 210.245.0.4
Virtual Servers
• VS_Web1: 203.162.0.5 (80) Pool: Pool_Web
• VS_Web2: 210.245.0.5 (80) Pool: Pool_Web
• VS_Mail: 203.162.0.6 (*) Pool: Pool_Mail
• VS_VPN: 203.162.0.7 (*) Pool: Pool_VPN
Listeners
ListernerOutbound1: 203.162.0.1
ListernerOutbound2: 210.245.0.1
Wide IPs
• www.baoviet.com.vn
o Member: VS_Web1, VS_Web2.
• mail.baoviet.com.vn
o Member: VS_Mail.
• vpn.baoviet.com.vn
o Member: VS_VPN.
Outbound VS
• VS_Outbound: 0.0.0.0
o IP Forwarding
o Lasthop Pool: Pool_Outbound
Could you tell me this config is correct for boxF5 ?
When I configed this, I ‘ve checked it okia. But Client from Internal, or ASA can’t ping to Internet (they still telnet, or access Web...). I check SOL9616 solution from ask f5 and upgrade my box to ver 9.4.7 but it still can't ping to Internet.
Could you help me, plz
Thanks & Regards
7 Replies
hoolioCirrostratus
Do you have VS_Outbound set for all protocols? Also, if the ICMP is going through a SNAT, you'll need to enable all protocols for SNAT as well. You can see SOL7366 for details:
SOL7366: Configuring the BIG-IP LTM to pass ICMP traffic
https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7366.html
Aaron
tranchungdt5_93Thank you very much.
I have fixed it with SNAT with all traffic.
Thank you again.
And, could you help me with solution "how to choose the gateway router to go out if I have 4 ADSL gateways". Example, with Mail, Web, I choose Leaseline Internet, and others I choose 4ADSL Internets.
Help me, plz
Thanks- hoolioIf you want to select a different gateway (or gateway pool) for different protocols, it would be easiest to create a separate pool for each gateway and then create separate virtual servers (0.0.0.0:80, 0.0.0.0:443, 0.0.0.0:25, etc) for each protocol which points at the relevant pool. Make sure to enable the wildcard virtual servers only on the VLANs which you want to accept traffic from. You probably don't want to have the VIPs enabled on the external VLAN or any other which is connected to an untrusted subnet.
Aaron - tranchungdt5_93Thank you for reply my answer.
With "How to choose the gateway to go out", I have to config to choose the gateway with ip of client. With ip of DMZ server, F5 box choose gateway LeaseLine, with ips of Internet Client, F5 choose gateway ADSL.
Could I use I-rule for Virtual IP Forwarding to choose the ADSL pool or Leaseline pool ?
And if I use Virtual Wildcard Server 0.0.0.0 (UDP&TCP) with pool is Leaseline pool. I don't know it different from Virtual IP Forwarding or not ? Because when I replace Virtual Wildcard Server 0.0.0.0 with Virtual IP Forwarding, F5 box still work okia.
Could you help me understand more ?
Thanks alot
Tran Chung - hoolioYes, you could use an iRule to select a pool based on the client IP address. Here is an example from cmbhatt:
Select specific Node based on incoming src IP
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3315733175
You can use matchclass (Click here) to check the client IP address against an address type datagroup with one or more hosts/subnets. Or to compare the client iP address against a single IP address or subnet, you can use IP::addr (Click here).
It would be easier to configure the virtual server to select the pool based on the VLAN the client connects to the VIP from. If you could do that, you could just have one VIP per incoming VLAN and not bother with an iRule.
Aaron - tranchungdt5_93Thank you Aaron very much.
Today, I remove the Virtual IP Forwarding 0.0.0.0 to go you LeaseLine pool and the result is: Internal Clients still go to Internet, traffics go from Internet to Web, Mail are okia. It stiall works until I remove the default-gateway is pool of LeaseLine gateway.
So, I wonder, what purpose of using Virtual IP Forwarding 0.0.0.0 ?
And with I-rule I have created, I match this I-rule to what Virtual server to go out?
Could you help me understand more, plz.
Thank alot.
TC 
BPetronio_11363Hello tranchungt5, all,
I'm making your example as a case study of a Link Controller configuration, cause i found very similar requesits for my future instalation.
When i was reading your configuration i could understand some mismatch on addressing scheme. I have very few hours of BIGIP, so it could be fault of knowledge by my side. Im sorry if it so.
1. The "203.162.0.1 - - 210.245.0.1" are the ip's of the isp routers u are connecting to ? If im correct, why are you saying u have that same floating ip address ?
2. The links are configured with that router address's, but and the uplink address ? do u left blank ?
3. What are the ip "203.162.0.4 - - 210.245.0.4" corresponding to ? In the scheme i understood it would be the self ip address(floating i guess), but on the configuration list, they are referenced as "Pool_Router" members.
4. In the "inside" u have on the scheme that 172.16.1.1 would be internal ip address(that's what i understood), but u are referencing 172.30.1.3 as Internal Floating IP Address.
5. Regarding VPN connections, there are any tricky issue we must implement on FW, regarding the header manipulation? In fact the vpn is established between ASA and other sites/clients... And ASA will be represented by a Virtual Server with a public IP Address. (Im thinking in NAT Traversal or others)
I would appreciate your comments.
Many Thanks,
Bruno Petrónio
