For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

panos_101277's avatar
panos_101277
Icon for Nimbostratus rankNimbostratus
Jun 17, 2008

Have a series 9 BigIP do switching instead of SNAT

Hi,     I've been trying to find a way to get a series 9 (9.4.4) BigIP to do switching instead of nat so that requests to servers come from the real originating IP and not the load balance...
config
design
dennypayne's avatar
dennypayne
Icon for Employee rankEmployee
Jun 18, 2008
Do you have a forwarding virtual server defined? BIG-IP is a default deny box, just like a firewall, so if you aren't specifically allowing traffic to pass, then it won't.

 

 

So if you want to allow the servers to initiate outbound connections without a SNAT, you need a forwarding virtual server. I typically use a wildcard one (0.0.0.0:0 - type IP forwarding - all protocols) because you don't know what the destination networks might be. You can enable it only on the internal VLAN if you don't want outside traffic to be forwarded inbound (or leave it enabled on all VLANS if you do).

 

 

You also need to make sure that whatever BIG-IP's gateway is knows how to route back to the network that's behind BIG-IP, since BIG-IP will be preserving the server's source IP when it forwards traffic outbound. Typically that would be a static route to the internal network pointing to the BIG-IP's external floating address (for a redundant pair).

 

 

Denny