Forum Discussion
chrisphysics_11
Nimbostratus
NimbostratusHow to - not use NAT for a single host behind an F5 when not using a VIP.
I have an F5 which is using a SNAT list to automap all addresses on my inbound VLAN. (call this the outside)
I believe this is used for outbound connections from internal hosts to present a rout...
nitass
Employee
EmployeeDoes anyone know if this will also apply to a ipforward virtual server?ip forwarding virtual server does not have pool configuration.
can you try something like this?
[root@ve10:Active] config b snat snat0 list
snat snat0 {
automap
snatpool none
origins default inet
}
[root@ve10:Active] config b virtual bar80 list
virtual bar80 {
pool foo
destination 172.28.19.252:80
ip protocol 6
}
[root@ve10:Active] config b pool foo list
pool foo {
members 200.200.200.101:80 {}
}
[root@ve10:Active] config b self 200.200.200.10 list
self 200.200.200.10 {
netmask 255.255.255.0
vlan internal
allow default
}
inbound traffic to virtual server
line (1) shows source ip is translated to selfip (200.200.200.10).
[root@ve10:Active] config tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
22:57:19.779678 IP 172.28.19.251.35829 > 172.28.19.252.80: S 378202834:378202834(0) win 5840
22:57:19.779717 IP 172.28.19.252.80 > 172.28.19.251.35829: S 3718782002:3718782002(0) ack 378202835 win 4380
22:57:19.780672 IP 172.28.19.251.35829 > 172.28.19.252.80: . ack 1 win 46
(1) 22:57:19.780720 IP 200.200.200.10.35829 > 200.200.200.101.80: S 2936807042:2936807042(0) win 4380
22:57:19.780728 IP 172.28.19.251.35829 > 172.28.19.252.80: P 1:157(156) ack 1 win 46
22:57:19.781779 IP 200.200.200.101.80 > 200.200.200.10.35829: S 1002618947:1002618947(0) ack 2936807043 win 5792
22:57:19.781818 IP 200.200.200.10.35829 > 200.200.200.101.80: . ack 1 win 4380
[root@ve10:Active] config b virtual bar list
virtual bar {
ip forward
destination any:any
mask 0.0.0.0
rules myrule
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
snat none
}
}
inbound traffic to server (not via virtual server)
line (2) shows source ip is not translated to selfip.
[root@ve10:Active] config tcpdump -nni 0.0 port 23
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
22:59:20.504725 IP 172.28.19.251.47055 > 200.200.200.101.23: S 2714618692:2714618692(0) win 5840
(2) 22:59:20.504824 IP 172.28.19.251.47055 > 200.200.200.101.23: S 2714618692:2714618692(0) win 5840
22:59:20.505810 IP 200.200.200.101.23 > 172.28.19.251.47055: S 4166638761:4166638761(0) ack 2714618693 win 5792
22:59:20.505816 IP 200.200.200.101.23 > 172.28.19.251.47055: S 4166638761:4166638761(0) ack 2714618693 win 5792
22:59:20.506760 IP 172.28.19.251.47055 > 200.200.200.101.23: . ack 1 win 46
22:59:20.506767 IP 172.28.19.251.47055 > 200.200.200.101.23: . ack 1 win 46
