For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

m_radstake_1687's avatar
m_radstake_1687
Icon for Nimbostratus rankNimbostratus
Oct 08, 2014

how to configure inbound NAT?

Hello,

 

I would like to achieve the following: do SSH on port 22 from an external host towards the Virtual Server IP of the F5. F5 should translate the Virtual Server IP to an internal. For example: ssh 10.44.36.123 ---> ssh 192.168.30.2

 

I defined a NAT rule: NAT Address 10.44.36.123

 

Orgin Address 192.168.30.2

 

I also created a Virtual Server with address 10.44.36.123 How does this Virtual Server know to use NAT?

 

SSH from the F5 to 192.168.30.2 succeeds.

 

When I login from an external host, I receive: ssh 10.44.36.123 ssh_exchange_identification: read: Connection reset by peer

 

Am I taking the right approach by using NAT? What am I doing wrong?

 

Your help is appreciated, Marcel

 

application delivery
LTM

5 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 08, 2014

    Hi Marcel,

     

    Hope I can help. A Std Virtual server with a pool does destination NAT by default. So VS would terminate on 10.44.36.123 and then proxy traffic to pool member 192.168.30.2. If you need Source NAT, to allow for routing back to external client then you can simply select Automap on the VS (Under Source Address Translation).

     

    You can use a NAT listener too to achieve this same affect, although there is no load-balancing/pool and you don't configure a port either (i.e. all traffic is allowed). Here you would configure a NAT with origin address 192.168.30.2 and translation address of 10.44.36.123.

     

    Both a VS and a NAT are "listeners".

     

    If you had both configured, however, then the VS takes precedence over the NAT listener.

     

    Hope this helps,

     

    N

     

  • m_radstake_1687's avatar
    m_radstake_1687
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2014

    Hello Nathan,

     

    As a test I configured as you suggest a VS (port 22) with only one member in the pool. SSH works then fine.

     

    What I ultimately would like to achieve is the following: ssh "VS-IP" -p 2201 -> ssh internal-node-1 ssh "VS-IP" -p 2202 -> ssh internal-node-2 ssh "VS-IP" -p 2203 -> ssh internal-node-3 ssh "VS-IP" -p 2204 -> ssh internal-node-4

     

    So I need a mechanism to translate the port from 220x to 22 In the VS-config I see a field "port translation" (enabled by default). I can't find a clear description in the F5 docs what this parameter is actually doing.

     

    Regards, Marcel

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Oct 08, 2014
      Port Translation means destination port translation, i.e. the VS could listen on port 2201 and the pool member has port 22 associated with it, this setting enabled means the port is indeed translated from 2201 to 22. Where you might have that disabled if you have a wildcard port VS and wildcard port on the pool member. Hope that clears that up for you.
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Oct 08, 2014
      No probs. Glad I could help.