Forum Discussion

Ruggero_27857's avatar
Ruggero_27857
Icon for Nimbostratus rankNimbostratus
Dec 13, 2012

F5 Redirection over Public Networks

Hi,

 

 

I am trying to setup an F5 in this way and I am wondering where this is going wrong:

 

I have the F5 facing Internal netowrk and external network connected to a Firewall DMZ Interface facing the internet.

 

I created a public IP on the Firewall which NATs the traffic to the F5 BIG IP VIP which is in the External DMZ Interface conected to the Firewall

 

 

 

External NAT:

 

I created a new Public IP X.X.X.X on our Firewall and did a static NAT to 172.16.183.82 VIP

 

!

 

Firewall(config) static (DMZ,outside) X.X.X.X 172.16.183.82 netmask 255.255.255.255

 

!

 

Opened external access to the X.X.X.X IP for www and https

 

access-list acl_out extended permit tcp any host X.X.X.X eq www

 

access-list acl_out extended permit tcp any host X.X.X.X eq https

 

 

So when external users hits the X.X.X.X IP they are NAT by the Firewall to 172.16.183.82 which is the F5 VIP

 

 

I created:

 

Internal Vlan – Self IP 10.10.10.1 – Reachable from Internal network

 

External Vlan – Self IP 172.16.183.80 – Reachable from Firewall DMZ/Internet Firewall

 

 

Routes:

 

10.0.0.0 255.0.0.0 GW 10.10.10.1 (Internal Vlan Gateway)

 

0.0.0.0 0.0.0.0 GW 172.16.183.81 (FW DMZ Interface connected to F5 VIP External

 

 

HTTP Profile:

 

http_X-Forwarded-For inherited by http class with X-Forwarded Enabled

 

 

iRule:

 

redirect_rule

 

 

 

when HTTP_REQUEST {

 

switch "[string tolower [HTTP::uri]]" {

 

"/test" - "/test/" {

 

HTTP::redirect "http://test.domain.com/odt"

 

}

 

"/cims" - "/cims/" {

 

HTTP::redirect "http://test.domain.com/cims"

 

}

 

 

}

 

}

 

test.domain.com is a server in the Internal network for example 10.20.1.20

 

Virtual Server:

 

redirect_HTTP

 

VIP 172.16.183.82 (VIP is reachable from FW) with x-Forwarded Profile and SNAT AutoMap enabled on internal and external interface

 

 

Then I test the results on an external PC:

 

 

I go to:

 

http://x.x.x.x/cims

 

http://x.x.x.x/odt

 

 

When trying this from external network that does not have direct access to the Internal network test.domain.com it fails.

 

When trying this from internal network that has access to test.domain.com it works.

 

 

Seems like the redirect and NAT works, but the the test.domain.com is only able to reply if the request is sourced by an internal customer host and not from an external customer host.

 

I thought about something like Aasymettric routing, with the internal server not going trough the F5 to reply back to the external host after the redirect, however I do have SNAT enabled as AuoMap already

 

app sec
BIG-IP Access Policy Manager (APM)
security

13 Replies

Show More
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2012

    Good stuff. I'd suggest you look into the APM module for the SecureID functionality; it's supported and a common configuration but obviously it'll cost.

     

  • Ruggero_27857's avatar
    Ruggero_27857
    Icon for Nimbostratus rankNimbostratus
    Dec 13, 2012
    Thanks guys,

     

     

    I have configured the iRule using Pools instead of Redirect rules:

     

     

    when HTTP_REQUEST {

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "*odt*" - "*cims*" - "*t3*" { pool elc.domain.com }

     

    "*cmtext*" { pool Europe-CMTExt }

     

    "*cognos*" { pool server-tst-21 }

     

    "*extcognos*" { pool server-svr-92 }

     

    }

     

    }

     

     

    Now:

     

    http://x.x.x.x/Odt FAILS from external hosts and works from internal hosts

     

    http://x.x.x.x/Cims WORKS only if I use HTTP profile and not X-Forwarded

     

    http://x.x.x.x/cmtext WORKS with any HTTP Profile both from external host and internal host

     

    http://x.x.x.x/Extcognos FAILS from internal and external host

     

    http://x.x.x.x/t3 WORKS from internal and external host BUT when opened from External Host it does not display images inside the page it just display the login prompt with broken images links.

     

     

    Must be something on the application side that I need to figure out, however the rule appears to be correct now.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2012
    OK, this might prove slightly better especially where the cognos URIs are concerned. A HTTP profile is required.

    I'd also suspect these issues are server related. You could add some logging to confirm the rule is working. So, here's the updated rule; 

    
when HTTP_REQUEST {
 switch -glob [string tolower [HTTP::uri]] {
  "/odt*" -
  "/cims*" -
  "/t3*" { 
   pool elc.domain.com
   log local0. "Matched: [HTTP::uri] with /odt, /cims or /t3, using Pool: elc.domain.com" }
  "/cmtext*" { 
   pool Europe-CMTExt
   log local0. "Matched: [HTTP::uri] with /cmtext, using Pool: Europe-CMTExt" }
  "/cognos*" { 
   pool server-tst-21
   log local0. "Matched: [HTTP::uri] with /cognos, using Pool: server-tst-21" }
  "/extcognos*" { 
   pool server-svr-92
   log local0. "Matched: [HTTP::uri] with /extcognos, using Pool: server-svr-92" }
  default { drop }
 }
}