Configuring a SNAT for internal hosts to route to the rest of the external network...
Sorry if this isn't an "advanced" topic... if it isn't, please point me at the correct board, but...
I'm trying to set up our internal load-balanced hosts so that they can access other resources on the external DMZ networks as well as the internet, and I can't seem to figure out how to get it working.
I have the default gateway of the internal hosts set to the internal SelfIP on the LB, I think that's correct, as I can't access the host's services at all unless that's set. What am I missing?
There are a few ways you can pass traffic from the internal hosts outbound. You could define a virtual server on port 0 (any) which is enabled only on the internal hosts' VLAN(s). If you want to use the LTM routing table you could set the virtual server type to forwarding. Or if you want to specify one or more gateways, you could use a FastL4 virtual server pointing to a pool of the gateway(s). You'd probably want to enable SNAT on the virtual server to ensure responses come back to LTM. If there is a lot of outbound traffic, you might want to use a SNAT pool with multiple addresses or add multiple floating self IP's on the egress VLAN(s). For info on this you can check SOL2053:
Visibilty - I really don't care to make all the internal servers visible to the outside world, I'd just as soon have them behind a gateway, much like a home router hides all the internal IP addresses. We're providing load-balanced services through a virtual server, if we want we can masquerade the internal hosts as this IP, but I'd prefer to masquerade as the external SelfIP for the LB for routing purposes. All I really care about is routing return traffic originating from our internal (non-routable) subnet.
I think, then, that what I want is just a straight snat without an associated virtual server, but I'm not sure. How would I go about setting that up?
if you just need a straight SNAT (not on a Virtual Server), you're effectively creating a SNAT listening on a VLAN, so the basic steps would be:
1) Local Traffic>Snats>SNAT List>Create...
2) Give it a name, and for testing purposes set 'translation' to Automap, which will ensure the outbound traffic gets SNATed to the egress VLANs self ip(floating preferentially, if there is one), to ensure traffic can route back correctly
3) Origin: is basically 'who is allowed to use the SNAT?' - this is either going to be 'All Addresses' (meaning anyone who hits the SNAT) or "Address list" and then a defines range of IP's and/or subnets that can use the SNAT.
4) VLAN Traffic is very important, select to 'Enable On....' then select only the VLANs on which it needs to listen (e.g. your internal VLAN).
That's pretty much it, let us know how you get on!
If you have ask f5 access, there's a pretty good rundown of SNAT features here: