For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Jun 09, 2010

Configure LTM as a true Full Proxy

In short we need to have the LTM do a Full Proxy. By that I mean the client IP communicates with the VIP via TCP 9091. The LTM in turn opens a separate TCP connection via 9091 to the Application serv...
config
design
jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Jun 14, 2010
After some research on SNAT/SNAT Pool, I believe this will work. Below is an example from my lab LTM. Please provide some feedback/corrections.

 

 

=====================

 

From bigip_base.conf

 

=====================

 

 

self 10.10.0.254 {

 

netmask 255.255.255.0

 

vlan LB-internal

 

allow all

 

}

 

self 10.30.0.254 {

 

netmask 255.255.0.0

 

vlan LB-external

 

allow all

 

}

 

 

 

================

 

From bigip.conf

 

================

 

 

snat translation 10.30.1.10 {

 

ip timeout 28800

 

}

 

snatpool TSYS-ISIS-SNAT-Pool {

 

members 10.30.1.10

 

}

 

monitor RDP {

 

defaults from tcp_half_open

 

dest *:3389

 

}

 

pool TSYS-ISIS-PROD-9091 {

 

action on svcdown reselect

 

monitor all RDP

 

members 10.10.0.10:3389

 

}

 

virtual TSYS-ISIS-PROD-9091 {

 

snatpool TSYS-ISIS-SNAT-Pool

 

pool TSYS-ISIS-PROD-9091

 

destination 10.30.1.10:3389

 

ip protocol tcp

 

profiles

 

tcp-lan-optimized

 

serverside

 

tcp-wan-optimized

 

clientside

 

}