Forum Discussion

Mustafa_elAbd's avatar
Mustafa_elAbd
Icon for Nimbostratus rankNimbostratus
Apr 02, 2023

I Rule to translate destination ssh port to custom port

Hello gents ,  i have deploymetnt as following :  client > FW > F5 > [Node 1 and Node 2] >F5  > FW > Srv  both F5 are the gateways of the two nodes .  f5 configured with performance l4 to match a...
application delivery
devops
i rule
Mustafa_elAbd's avatar
Mustafa_elAbd
Icon for Nimbostratus rankNimbostratus

thaks for your reply .

the virtual serer is 0.0.0.0/0 and also the pool match on all port .

the problem here is that the pool member devices can't inspect the ssh traffic and need it to be changed so not drop it . 

 

Paulius's avatar
Paulius
Icon for MVP rankMVP
Apr 04, 2023

Mustafa_elAbd If you can please share your configuration for the VS and the associated pool that would be helpful because typically you do not configure a catchall VS and associate a pool to it. In almost every case the catchall is used to pass routed traffic from one side of the F5 to the other with minimal manipulation. If you have a pool associated to it this becomes a bit more difficult to modify on the F5. The easiest thing you can do will most likely be to create a PAT on the firewall that maps port 22 on the mapped (what everyone else sees) to 22022 on the real side (what your servers are actually listening on) but this still isn't the ideal way of handling this. Typically security by obscurity isn't a great solution for security but instead you leave it as port 22 and then lock down that port as much as possible via firewall, IPS, and server security configuration.