For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

chrisphysics_11's avatar
chrisphysics_11
Icon for Nimbostratus rankNimbostratus
Jan 02, 2013

How to - not use NAT for a single host behind an F5 when not using a VIP.

I have an F5 which is using a SNAT list to automap all addresses on my inbound VLAN. (call this the outside)   I believe this is used for outbound connections from internal hosts to present a rout...
config
design
nitass's avatar
nitass
Icon for Employee rankEmployee
Jan 04, 2013
you can also check source ip in the irule before disabling snat. 200.200.200.10 is bigip selfip. 

[root@ve10:Active] config  b virtual bar list
virtual bar {
   ip forward
   destination any:any
   mask 0.0.0.0
   rules myrule
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        if { [IP::addr [IP::client_addr] equals 172.28.19.251/32] } {
                snat none
        }
}
}
[root@ve10:Active] config  b snat snat0 list
snat snat0 {
   automap
   snatpool none
   origins default inet
}

 inbound traffic to server from client 172.28.19.251 (source ip is translated)

[root@ve10:Active] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
19:08:21.319605 IP 172.28.19.251.60531 > 200.200.200.101.80: S 3729429280:3729429280(0) win 5840 
19:08:21.321640 IP 172.28.19.251.60531 > 200.200.200.101.80: S 3729429280:3729429280(0) win 5840 
19:08:21.322634 IP 200.200.200.101.80 > 172.28.19.251.60531: S 1906927011:1906927011(0) ack 3729429281 win 5792 
19:08:21.322645 IP 200.200.200.101.80 > 172.28.19.251.60531: S 1906927011:1906927011(0) ack 3729429281 win 5792 
19:08:21.323695 IP 172.28.19.251.60531 > 200.200.200.101.80: . ack 1 win 46 
19:08:21.323705 IP 172.28.19.251.60531 > 200.200.200.101.80: . ack 1 win 46 

 inbound traffic to server from client 172.28.19.101 (source ip is not translated)

[root@ve10:Active] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
19:20:00.870593 IP 172.28.19.101.42255 > 200.200.200.101.80: S 2723259595:2723259595(0) win 5840 
19:20:00.870674 IP 200.200.200.10.42255 > 200.200.200.101.80: S 2723259595:2723259595(0) win 5840 
19:20:00.871679 IP 200.200.200.101.80 > 200.200.200.10.42255: S 1391968267:1391968267(0) ack 2723259596 win 5792 
19:20:00.871689 IP 200.200.200.101.80 > 172.28.19.101.42255: S 1391968267:1391968267(0) ack 2723259596 win 5792 
19:20:00.872697 IP 172.28.19.101.42255 > 200.200.200.101.80: . ack 1 win 46 
19:20:00.872707 IP 200.200.200.10.42255 > 200.200.200.101.80: . ack 1 win 46