Forum Discussion

ReWrite_132188's avatar
ReWrite_132188
Icon for Nimbostratus rankNimbostratus
Jul 02, 2014

F5 BIG-IP answers with a self-ip that is not associated with that VLAN

Hi, I am working on implementing av proxy-solution with the help of F5 BIG-IP to do SSL-decrypt. In short: Users surf the web, and the traffic hits the F5 internal VLAN over a fiber-trunk(2.1 and...
application delivery
deployment
design
LTM
vlan
ReWrite_132188's avatar
ReWrite_132188
Icon for Nimbostratus rankNimbostratus
Jul 07, 2014

Thanks for the answers. I know the explanation is kinda hard to understand..

Second try:

Ingres- vlan Internal -> Virtual vs_proxy -> Egres Vlan cp_proxy - > Pool: pool_proxy - > Proxy - > Ingres -> vlan cp_proxy_return -> Virtual vs_proxy_return - > Pool: pool_gateway -> Internet.

The traffic stops on Virtual vs_proxy_return. I can ping the F5 from the proxy, and the F5 can ping the proxy on the corrects IPs. But doing a packet dump I can only see the IP from the Internal vlan responding to packets from the Proxy..

Config

ltm snat-translation /Common/182.xx.xx.149 {
    address 182.xx.xx.149
    inherited-traffic-group true
    traffic-group /Common/traffic-group-1
}
ltm snat-translation /Common/182.xx.xx.150 {
    address 182.xx.xx.150
    inherited-traffic-group true
    traffic-group /Common/traffic-group-1
}
ltm snat-translation /Common/185.xx.xx.146 {
    address 185.xx.xx.146
    inherited-traffic-group true
    traffic-group /Common/traffic-group-1
}
ltm snatpool /Common/sNAT-pool-outbound-inet {
    members {
        /Common/182.xx.xx.149
        /Common/182.xx.xx.150
    }
}
ltm virtual /Common/vs_ext_all {
    description 
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_proxy_ext
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/external
    }
    vlans-enabled
}
ltm virtual /Common/vs_ext_ret_all {
    description 
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_gateway_int
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/cp_proxy
    }
    vlans-enabled
}
ltm virtual /Common/vs_proxy {
    description 
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_proxy
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/internal
    }
    vlans-enabled
}
ltm virtual /Common/vs_proxy_https {
    description 
    destination /Common/0.0.0.0:443
    ip-protocol tcp
    mask any
    pool /Common/pool_proxy
    profiles {
        /Common/clientssl {
            context clientside
        }
        /Common/http { }
        /Common/serverssl {
            context serverside
        }
        /Common/tcp { }
    }
    rules {
        /Common/pre_proxy
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port enabled
    vlans {
        /Common/internal
    }
    vlans-enabled
}
ltm virtual /Common/vs_proxy_return {
    description 
    destination /Common/0.0.0.0:0
    mask any
    pool /Common/pool_gateway
    profiles {
        /Common/fastL4 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        /Common/cp_proxy_return
    }
    vlans-enabled
}
ltm virtual /Common/vs_proxy_return_http {
    description 
    destination /Common/0.0.0.0:80
    ip-protocol tcp
    mask any
    pool /Common/pool_gateway
    profiles {
        /Common/http { }
        /Common/serverssl-insecure-compatible {
            context serverside
        }
        /Common/tcp { }
    }
    rules {
        /Common/post_proxy
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port enabled
    vlans {
        /Common/external
    }
    vlans-enabled
}
ltm virtual-address /Common/0.0.0.0 {
    address any
    arp disabled
    icmp-echo disabled
    mask any
    traffic-group /Common/traffic-group-1
}
ltm data-group internal /Common/bypass_nett {
    type ip
}
ltm data-group internal /Common/host_bypass {
    type string
}
ltm data-group internal /Common/hostname_bypass {
    type ip
}
ltm profile web-acceleration /Common/optimized-caching {
    app-service none
    cache-max-age 86400
    cache-object-max-size 2000000
    cache-object-min-size 0
    cache-size 7mb
    defaults-from /Common/webacceleration
}
ltm profile web-acceleration /Common/webacceleration {
    app-service none
    cache-aging-rate 9
    cache-client-cache-control-mode all
    cache-insert-age-header enabled
    cache-max-age 3600
    cache-max-entries 10000
    cache-object-max-size 50000
    cache-object-min-size 500
    cache-size 75mb
    cache-uri-exclude none
    cache-uri-include { .* }
    cache-uri-include-override none
    cache-uri-pinned none
    metadata-cache-max-size 25mb
}
net route /Common/DMZ-nett {
    gw 192.168.xx.1
    network 185.xx.xx.128/26
}
net route /Common/external_default_gateway {
    interface /Common/external
    network default
}
net route /Common/net-172.16.0.0-mask12 {
    gw 192.168.xx.1
    network 172.16.0.0/12
}
net route /Common/net-192.168.0.0-mask16 {
    gw 192.168.xx.1
    network 192.168.0.0/16