Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Harish_Babu's avatar
Harish_Babu
Icon for Nimbostratus rankNimbostratus
Dec 08, 2023

F5 AFM Source / Destination NAT

Hello Team   We are having F5 DNS+AFM, the DNS configured as a transparent cache with DoS and access rules in place, diagram provided for better understanding of the setup.     We want to ...
security
Harish_Babu's avatar
Harish_Babu
Icon for Nimbostratus rankNimbostratus
Dec 11, 2023

Hello Mohamed Kansoh

I’m thankful for your reply.

Unfortuantly the CMP-Hash did not make any diffrence.

In the packet-tester, we can see the traffic is dropped by the VS (missing flow).

In the packet capture we can see only sync, attached same for your reference.

We tried the policy on both VS and Global.

Regards

Harish Babu

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Dec 12, 2023

Okay Harish_Babu , 

- why dns udp requesting timeout ? in the last snap shot ? 

- Are you sure you have attached the NAT policy to "Forward_VS" ? 
it's strange why bigip doesn't perform NATing after receiving SYN ! 

- Create a global policy which allows ( UDP port 53 / TCP port 443 , ssh ) traffic  , with Action " accept decisively " , to prevent further checks on virtual server context ? 
this is just for testing >> 
make sure that in the FW mode options ( Virtual server / selfip context ) is set to accept not drop.

-Are you sure you have changed the CMP-Hash to source address in Vlan Tag 300 ( which is the ingress Vlan for traffic directed to forward_VS ) 

- Check this article for ingress drops : https://my.f5.com/manage/s/article/K10191

let me know the updates