Forum Discussion
sstafford
Nimbostratus
NimbostratusICMP and the Forwarding Virtual Server
Hi All,
Currently we have a forwarding virtual server set up that will forward along anything to any address on the vlans it is enabled on;
virtual ReplaceNat {
ip forward
destination any:any
mask none
vlans VLAN1115
VLAN1116 enable
}
Security-wise, that's a bit too open for comfort, so we're replacing it with a set of more service-specific forwarding virtual servers, like this one for ssh;
virtual SshWildCard {
translate service disable
ip forward
destination any:ssh
mask none
ip protocol tcp
vlans VLAN1115
VLAN1116 enable
profiles fastL4
}
This has gone well for the most part, until the time comes to disable the initial forwarding virtual server--"ReplaceNat"--at which point a third party monitoring server starts complaining that it can no longer ping the servers behind the load-balancer.
Obviously, the ReplaceNat forwarding virtual server is allowing icmp traffic and the more specific forwarding virtual servers are not. Is there a way to either set up a forwarding virtual server for just icmp traffic, either by creating a new virtual server, or adding a iRule to ReplaceNat so that all traffic other than icmp is blocked there?
Thanks,
Sid
- dennypayne
Employee
Hi Sid,
Sure you can just set up another IP Forwarding virtual server on 0.0.0.0 that has protocol set to Other and choose ICMP (because your SshWildCard one is only on TCP). What I don't know off the top of my head is what exactly needs to go in the protocol box when you select Other; I think it's the protocol number (in the case of ICMP it would be 1) or whether it will actually recognize the characters "ICMP."
Denny 
Eslam_Ahmed_630Thanks for your feedback about ICMP protocol number :)- Eslam_Ahmed_630Thanks for your feedback about ICMP protocol number :)
