Forum Discussion
NimbostratusHow to configure SNAT to use a Virtual Server as source IP?
Hello,
I'm pretty new in F5 configuration. I read quite some F5 documentation and several posting on SNAT but I couldn't figure out how to configure the F5 to route traffic (stateful) from my internal network (192.168.28.0/29 vlan 28) towards my external network (10.44.36.120/29 untagged).
On the internal network side the F5 has 192.168.28.6 as Self-IP and on the external network the F5 has a 10.44.36.123 as Virtual Server IP
I managed to configure inbound HTTP traffic (imcoming at 10.44.36.123) to balance over 192.168.28.1 - 4
Now I would like to configure outbound traffic (stateful), port 2900 to an external node with IP 10.44.36.122.
I hope someone is able to help me to get further. You help is very much appreciated.
7 Replies
natheCirrocumulus
A Host IP forwarding virtual server should help you here.
See http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html
N
m_radstake_1687Hi Nathan,
I've tried your proposed solution but I can't get it working:
ltm virtual /Common/VSSMSC { destination /Common/10.44.36.122:0 ip-forward mask 255.255.255.255 profiles { /Common/fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { /Common/vlan28 } vlans-enabled }
I made a tcpdump-trace in the F5 and see the traffic arriving at the Self-IP 192.169.28.6 (vlan28). However I don't see the traffic arriving at host 10.44.36.122.
What I'am wondering is how the F5 knows it should use 10.44.36.123 as the source IP when sending the packets to 10.44.36.122 ?
- nathe.123 looks like a virtual server address, it wont translate to that. In the forwarding VS setup configure a SNAT pool or SNAT automap (automap translates behind egress interface ip on the 10.44.3.120 subnet)
- m_radstake_1687
I added a snat-pool as below to the virtual server, but still nothing visible at my destination (.122)
} ltm snat-translation /Common/10.44.36.123 { address 10.44.36.123 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snatpool /Common/SMSCsnatPool { members { /Common/10.44.36.123 }
ltm virtual /Common/VSSMSC { destination /Common/10.44.36.122:0 ip-forward mask 255.255.255.255 profiles { /Common/fastL4 { } } source 0.0.0.0/0 source-address-translation { pool /Common/SMSCsnatPool type snat } translate-address disabled translate-port disabled vlans { /Common/vlan28 } vlans-enabled }
What I am actually looking for is something similar as shown in Figure 15.3 at the below link: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/LTM_config_guide_943/ltm_snat.html1198808
- nathe15.3 is referring to a SNAT object, this is also a type of listener, like a virtual server. In a Snat Object you specify the origin address and a translated address. So any traffic reaching the bigip with source "origin address" is allowed to its destination and then is translated behind the "translation" address. May i suggest you don't use the VS address (.123 i think) but rather a new IP address on the 10 subnet. Hope that works for you.
- m_radstake_1687
good news. I eventually managed to get it working via the Virtual Server IP (.123). Since I haven been trying several ways to implement it, there was some left over configuration of one of my attempts. After a cleanup it works with the following configuration:
} ltm snat-translation /Common/10.44.36.123 { address 10.44.36.123 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ltm snatpool /Common/SMSCsnatPool { members { /Common/10.44.36.123 }
ltm virtual /Common/VSSMSC { destination /Common/10.44.36.122:0 ip-forward mask 255.255.255.255 profiles { /Common/fastL4 { } } source 0.0.0.0/0 source-address-translation { pool /Common/SMSCsnatPool type snat } translate-address disabled translate-port disabled vlans { /Common/vlan28 } vlans-enabled }
Thanks Nathan for your valuable help!
- natheNo problem at all. Glad u got there
