Forum Discussion
NimbostratusF5 Internal Server can't access internet without NAT
Hi,
We have an internal server connected to internal LAN of F5 LTM - F5 LTM is connected to 2 Huawei Active Active Firewalls. Server gateway is the self IP of F5 Forward IP Virtual server created on F5 for the internal VLAN a default route pointing to virtual address of the Huawei firewalls Huawei Firewalls have a route back to the internal server VLAN pointing to the external virtual server IP address of F5 Internal server can pint F5 internal and external interfaces self IPs and can ping external virtual server. But can't ping the Huawei Firewalls nor the internet router that is behind the firewalls F5 can pint the internet router with source address with internal VLAN Firewalls can ping external virtual server but can't ping the internal server VLAN
All setting on Firewalls are set good as per Firewall Engineer
Internet Access not working on internal server but incoming requests to the virtual server from the internet is working good and we can access the internal server from outside
Trying SNAT didn't help as we though it is not needed here
Doing NAT for the internal server ip address to the external F5 self IP address solve the issue and the server could access the internet
F5 Engineer confirmed we shouldn't use NAT as it is impossible to do this NAT to all the servers inside F5
So please help what may be the issue that is solved using the NAT ? and how the server could access the internet while having F5 as its gateway
Thanks Haitham
natheCirrocumulus
Haitham,
You will need to translate the internal server IP address behind a publicly accessible IP of some sort at some point. I think the F5 engineer recommended not using NAT because NAT is a one-to-one mapping of an internal address and a translation address, so it doesn't scale very well. SNATs, on the other hand, can be a many to one translation, so you could specify a network range as the origin and then a single translated address. Hopefully this article helps: Nats and Snats.
You could create the SNAT as the external virtual server address I believe.
Hope this helps,
N
Mahammad_381074Hi I am not able to reach VIP(inside server) from outside network in Wmware lab environment. I am new for FS, Please help me out. Inside network: 10.10.1.X/24 MGMT netwrk : 9.1.1.X/24 External Network : 192.168.1.X/24
I changed SNAT to auto but still i am facing same problem.
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 external 9.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 mgmt 10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 internal 127.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 tmm 127.7.0.0 127.1.1.253 255.255.0.0 UG 0 0 0 tmm 127.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tmm_bp 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 external [root@BIG-IP-Lab-1:Active:Standalone] config
[root@BIG-IP-Lab-1:Active:Standalone] config curl -H "Host: VIPIP" http://10.10.1.11/monitor/bigip.html Server Up [root@BIG-IP-Lab-1:Active:Standalone] config