Forum Discussion

Franky-frank-reg7's avatar
Franky-frank-reg7
Icon for Altocumulus rankAltocumulus
Sep 24, 2023

F5 SMTP Fast Template - SNAT Not working as expected

Hello all, I'm having issues with getting SMTP to work with the FAST templates. Specifically, I'm trying to configure an SMTP template with no SNAT option checked so the backend pool members receive...
application delivery
  • Paulius's avatar
    Paulius
    Oct 06, 2023

    Franky-frank-reg7 That is true but to simplify the configuration so that you reduce the man hours you might/will spend in the future troubleshoot a non-standard deployment of the F5 you should deploy it as option 1

Paulius's avatar
Paulius
Icon for MVP rankMVP

Franky-frank-reg7 Would you mind sharing the entire configuration that relates to this SMTP virtual server so I can take a deeper look? The configuration should be virtual server, tcp profiles, pool, and any associated iRules.

Franky-frank-reg7's avatar
Franky-frank-reg7
Icon for Altocumulus rankAltocumulus
Sep 28, 2023

"class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:a858e55e-bbe6-42ce-a9b9-0f4ab33e3bf7", "Exchange2019": { "class": "Tenant", "Exchang2019_SMTP_Internal": { "class": "Application", "template": "generic", "Exchang2019_SMTP_Internal": { "virtualAddresses": [ "10.20.22.228" ], "virtualPort": 25, "snat": "none", "class": "Service_TCP", "pool": "Exchang2019_SMTP_Internal_pool", "profileTCP": "wan", "iRules": [] }, "Exchang2019_SMTP_Internal_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.20.22.150" ], "servicePort": 25, "connectionLimit": 0, "priorityGroup": 0, "shareNodes": true } ], "loadBalancingMode": "least-connections-member", "slowRampTime": 300, "monitors": [ { "use": "Exchang2019_SMTP_Internal_monitor" } ] }, "Exchang2019_SMTP_Internal_monitor": { "class": "Monitor", "monitorType": "smtp", "interval": 30, "timeout": 91, "domain": "smtp.regeneron.com", "username": "", "passphrase": { "ciphertext": "", "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0" } } } } }

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Sep 28, 2023

    Franky-frank-reg7 It seems like this is what you push to the device with the template. Do you have the configuration directly from the F5?

    • Franky-frank-reg7's avatar
      Franky-frank-reg7
      Icon for Altocumulus rankAltocumulus
      Oct 03, 2023

      Hi Paulius,

      We made it step further to get the SNATed client IPs terminated on the Exchange server, but the issue is exchange actually needs to see the real client IP addresses for the allowed relay list function to work. So we've instead decided to go with an inline design. We removed SNAT from the virtual server, configured the exchange server to point to the F5 self ip as it's DGW, and configured an IP forwarding Virtual server to forward server connections as shown below:

       

       

       

      However,  because the internal VLAN is a segment on the core switch, egress traffic from the server show above in blue is being routed server -> F5 -> core switch and return traffic (red) is coming in on cores and going directly to the server on VLAN225. Since VLAN 225 is a directly attached segment to the core switch, the traffic reaches the server directly instead of going back through the F5 on return. The question is should the internal VLAN instead be isolated so it’s not accessible on the core or can we instead apply a SNAT for only the server IP as it goes outbound to the external network. Please see the drawn options below:

      Option1: Isolated VLAN Inline of F5, routes on Cores point to F5 Self IP of External VLAN to route to Internal Isolated VLAN.

       

      Option2: