For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hassan_35511's avatar
hassan_35511
Icon for Nimbostratus rankNimbostratus
Oct 10, 2012

help in SNAT AND NAT

I need a help i have create a pool with two members with 2 ip ( 10.10.10.20 and 10.10.10.30) and i have created a virtual server with ip 172.16.3.251.

 

the externel ip is :172.16.3.250

 

the internel ip is:10.10.10.0

 

i would like to create a SNAT list or NAT to let the 2 members to go up to the internet what should i create to resolve this problem ??? do i need to create an irules ???

 

thanks for ur help

 

application delivery
dev
devops
iRules

8 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 10, 2012
    would like to create a SNAT list or NAT to let the 2 members to go up to the internet what should i create to resolve this problem ???if it is outbound traffic only, snat is fine. you may have to enable Snat.AnyIpProtocol to support any ip protocol.

    e.g. 

    [root@ve10:Active] config  b snat snat1 list
snat snat1 {
   automap
   snatpool none
   origins {
      10.10.10.20
      10.10.10.30
   }
   vlans internal enable
}

[root@ve10:Active] config  b db Snat.AnyIpProtocol
Snat.AnyIpProtocol = enable
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 10, 2012
    The 10.10.10.0/24 is your "internal" VLAN? You have only two servers in it, or more? Their default gateway if the LTM?

     

     

    You want all internal servers to have access to Internet? or just two out of many?

     

     

    Thanks,

     

    Mohamed.
  • hassan_35511's avatar
    hassan_35511
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2012
    yes my internel ip address is 10.10.10.0 and i have 2 members only and ii want all the internel server to have access to the internet

     

    thanks for ur help
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 10, 2012
    Nitass's configuration should work just fine but just so it's clear:

     

     

    1) The internal servers will have their source address NATted to the floating Self IP configured on the external VLAN and

     

    2) As Mohamed has suggested, the server's default gateway should be the F5's floating Self IP for the internal VLAN.

     

     

    Of course, you should also have a default route configured in LTM that directs the server traffic to wherever it needs to go in your network to reach the Internet.
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 10, 2012
    I think you need a wild card virtual server to act as router for your internal clients. instead of listening on an IP address and port, it will listen on 0.0.0.0 and port *

     

     

    I think simply enabling SNAT = automap on this virtual server will do the trick.

     

     

    You should not need other SNAT or NAT configuration settings.

     

     

    Thanks,

     

    Mohamed.
  • hassan_35511's avatar
    hassan_35511
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2012
    thank u all i have done this procedure and i got access to the internet

     

    BUT when i am doing a ping there is no reply can anybody helps me to resolve the problem

     

     

    10xxxxxxxxxxxxxxxx
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 10, 2012
    what procedure did you do??

     

     

    if it is wildcard virtual server, have you selected "Protocol" to "All Protocol" when creating?

     

     

    if it is snat, have you enabled Snat.AnyIpProtocol db key or set "SNAT Packet Forwarding" in system > configuration > local traffic > general in gui to "All traffic"?