Forum Discussion
Harish_Babu
Nimbostratus
NimbostratusF5 AFM Source / Destination NAT
Hello Team We are having F5 DNS+AFM, the DNS configured as a transparent cache with DoS and access rules in place, diagram provided for better understanding of the setup. We want to ...
Harish_BabuNimbostratus
NimbostratusHello Mohamed Kansoh
I’m thankful for your reply.
Unfortuantly the CMP-Hash did not make any diffrence.
In the packet-tester, we can see the traffic is dropped by the VS (missing flow).
In the packet capture we can see only sync, attached same for your reference.
We tried the policy on both VS and Global.
Regards
Harish Babu
Okay Harish_Babu ,
- why dns udp requesting timeout ? in the last snap shot ?- Are you sure you have attached the NAT policy to "Forward_VS" ?
it's strange why bigip doesn't perform NATing after receiving SYN !
- Create a global policy which allows ( UDP port 53 / TCP port 443 , ssh ) traffic , with Action " accept decisively " , to prevent further checks on virtual server context ?
this is just for testing >>
make sure that in the FW mode options ( Virtual server / selfip context ) is set to accept not drop.
-Are you sure you have changed the CMP-Hash to source address in Vlan Tag 300 ( which is the ingress Vlan for traffic directed to forward_VS )
- Check this article for ingress drops : https://my.f5.com/manage/s/article/K10191
let me know the updates
