For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

karan12_154818's avatar
karan12_154818
Icon for Nimbostratus rankNimbostratus
Sep 06, 2014

How to Configure a PAT scenario in F5 LTM

Hi   I have three backend servers to be patted on a public ip listening on a specific port.I have gone through SNAT and normal NAT scenario.   BUT PAT the same way as any Virtual Server on a s...
application delivery
deployment
devops
ibm
iRules
LTM
nitass's avatar
nitass
Icon for Employee rankEmployee
Sep 06, 2014

All server1 to server3 patted to destination on that port w.

can you try virtual server with snat irule command (with port parameter)? you can check source and destination before applying snat.

snat

https://devcentral.f5.com/wiki/irules.snat.ashx

anyway, i think it won't fully work because port may not be available (port is being used by another connection which goes to the same destination). example is shown in trace1.

also, due to cmp architecture, intra communication between tmm may be needed. this may not be good in term of performance. example is in trace2.

sol14358: Overview of Clustered Multiprocessing (11.3.0 and later)

http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14358.html 
// config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual fwd
ltm virtual fwd {
    destination any:0
    ip-forward
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 5
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 200.200.200.0/24] and [IP::addr [IP::local_addr] equals 172.28.24.1/32] } {
    snat 172.28.24.91 1111
  }
}
}

// trace 1

client1 is trying to open 2 connections (200.200.200.101:2222 and 200.200.200.101:4444) to the same destination (172.28.24.1:80). connection2 is reset. rst_cause is [0x1d5486c:1604] Unable to obtain local port.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0:nnn -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes
20:47:17.865788 IP 200.200.200.101.2222 > 172.28.24.1.80: S 2002056986:2002056986(0) win 5840 (mss 1460,sackOK,timestamp 1767696883 0,nop,wscale 7) in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
20:47:17.866987 IP 172.28.24.91.1111 > 172.28.24.1.80: S 2002056986:2002056986(0) win 5840 (mss 1460,sackOK,timestamp 1767696883 0,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd flowtype=129 flowid=5700010E1800 peerid=5700010E2C00 conflags=2A4 inslot=63 inport=55 haunit=1 priority=0 peerremote=00000000:00000000:0000FFFF:C8C8C865 peerlocal=00000000:00000000:0000FFFF:AC1C1801 remoteport=2222 localport=80 proto=6 vlan=4094
20:47:17.871805 IP 172.28.24.1.80 > 200.200.200.101.2222: S 2876593243:2876593243(0) ack 2002056987 win 5792 (mss 1460,sackOK,timestamp 1377190663 1767696883,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd flowtype=65 flowid=5700010E2C00 peerid=5700010E1800 conflags=CA4 inslot=63 inport=55 haunit=1 priority=0 peerremote=00000000:00000000:0000FFFF:AC1C1801 peerlocal=00000000:00000000:0000FFFF:AC1C185B remoteport=80 localport=1111 proto=6 vlan=4093
20:47:17.871601 IP 172.28.24.1.80 > 172.28.24.91.1111: S 2876593243:2876593243(0) ack 2002056987 win 5792 (mss 1460,sackOK,timestamp 1377190663 1767696883,nop,wscale 7) in slot1/tmm1 lis= flowtype=136 flowid=5700596FCB00 peerid=0 conflags=B2 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
20:47:17.874989 IP 200.200.200.101.2222 > 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767696897 1377190663) in slot1/tmm0 lis=/Common/fwd flowtype=65 flowid=5700010E2C00 peerid=5700010E1800 conflags=CA4 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:AC1C1801 peerlocal=00000000:00000000:0000FFFF:AC1C185B remoteport=80 localport=1111 proto=6 vlan=4093
20:47:17.875002 IP 172.28.24.91.1111 > 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767696897 1377190663) out slot1/tmm0 lis=/Common/fwd flowtype=129 flowid=5700010E1800 peerid=5700010E2C00 conflags=2A4 inslot=63 inport=55 haunit=1 priority=0 peerremote=00000000:00000000:0000FFFF:C8C8C865 peerlocal=00000000:00000000:0000FFFF:AC1C1801 remoteport=2222 localport=80 proto=6 vlan=4094

20:47:20.944645 IP 200.200.200.101.4444 > 172.28.24.1.80: S 3101243297:3101243297(0) win 5840 (mss 1460,sackOK,timestamp 1767699965 0,nop,wscale 7) in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=63 inport=55 haunit=0 priority=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
20:47:20.946324 IP 172.28.24.1.80 > 200.200.200.101.4444: R 0:52(52) ack 3101243298 win 0 out slot1/tmm0 lis=/Common/fwd flowtype=65 flowid=5700010E1D00 peerid=0 conflags=CA4 inslot=63 inport=55 haunit=1 priority=0 rst_cause="[0x1d5486c:1604] Unable to obtain local port" peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0

// trace 2

client1 is opening a connection to 172.28.24.1:80. outbound connection is handled by tmm0 (slot1/tmm0) but inbound is handled by tmm1 (slot1/tmm1) due to cmp. intra-communication between tmm is needed.

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:44:17.441299 IP 200.200.200.101.2222 > 172.28.24.1.80: S 3478016357:3478016357(0) win 5840 (mss 1460,sackOK,timestamp 1767516467 0,nop,wscale 7) in slot1/tmm0 lis=
20:44:17.442481 IP 172.28.24.91.1111 > 172.28.24.1.80: S 3478016357:3478016357(0) win 5840 (mss 1460,sackOK,timestamp 1767516467 0,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd
20:44:17.443479 IP 172.28.24.1.80 > 172.28.24.91.1111: S 57552532:57552532(0) ack 3478016358 win 5792 (mss 1460,sackOK,timestamp 1377010244 1767516467,nop,wscale 7) in slot1/tmm1 lis=
20:44:17.443596 IP 172.28.24.1.80 > 200.200.200.101.2222: S 57552532:57552532(0) ack 3478016358 win 5792 (mss 1460,sackOK,timestamp 1377010244 1767516467,nop,wscale 7) out slot1/tmm0 lis=/Common/fwd
20:44:17.452004 IP 200.200.200.101.2222 > 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767516477 1377010244) in slot1/tmm0 lis=/Common/fwd
20:44:17.452024 IP 172.28.24.91.1111 > 172.28.24.1.80: . ack 1 win 46 (nop,nop,timestamp 1767516477 1377010244) out slot1/tmm0 lis=/Common/fwd