For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

panos_101277's avatar
panos_101277
Icon for Nimbostratus rankNimbostratus
Jun 17, 2008

Have a series 9 BigIP do switching instead of SNAT

Hi,     I've been trying to find a way to get a series 9 (9.4.4) BigIP to do switching instead of nat so that requests to servers come from the real originating IP and not the load balance...
config
design
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jun 18, 2008
Are you talking connections into the servers from external, or connections being initiated by the servers?

 

 

Easiest way is to ensure that all traffic passes through the F5...

 

 

However if you get creative you can ensure that outbound connections from servers to external where only the packets from external to internal pass through the F5 work by using loose open/loose close in the protocol (TCP/SCTCP/UDP/Either) profile on the VS that is hit for the return traffic... (Otherwise the packets get dropped because they're not following the usual SYN/SYNACK/ACK sequence).

 

 

The other thing to watch for is asymmetric routing... Asymmetric routing doesn't work on F5 unless you disable the PVA (And also requires asettingin the DB IIRC).

 

 

H

 

 

H