Forum Discussion
Nimbostratusinbound snat question (ltm v11.4.0)
I'm new to snating so please be kind. Trying to figure out an inbound snat. I want a client say ip 1.2.3.4 to hit the bigip ltm at ip 2.3.4.5 and have the request sent to a server ip 3.4.5.6. Server 3.4.5.6 will see the client/source as 2.3.4.5.
Does the snat ip address translation of 2.3.4.5 have an address list of 3.4.5.6 or 1.2.3.4? The documentation does a good job with the pictures but not so good telling how it should be implemented.
Am I missing the obvious? Any and all help would be greatly appreciated.
11 Replies
- nitass
Employee
Does the snat ip address translation of 2.3.4.5 have an address list of 3.4.5.6 or 1.2.3.4?
translation is 2.3.4.5 and origin is 1.2.3.4. anyway, if you use this snat list, it will affect all traffic from 1.2.3.4 (i.e. not only traffic destined to 2.3.4.5).
in case if you want to do snat only for traffic destined to 2.3.4.5 (i assume it is virtual server), you can create snatpool with 2.3.4.5 as a member and assign to the virtual server.
David_R__BarstiThe translation of 2.3.4.5 is set to 3.4.5.6. If I set it to 1.2.3.4, then it just points to itself and there is no traffic to 3.4.5.6. According to the docs:
An inbound SNAT translates the original client source IP address in a request to a BIG-IP system virtual server or BIG-IP system self IP address, forcing subsequent server response to return directly to Local Traffic Manager. When an inbound SNAT is configured on the system, Local Traffic Manager translates not only the destination IP address in the request (using the standard address translation mechanism), but also the source IP address in the request (using a SNAT).
Client/source 1.2.3.4 sends request to 2.3.4.5 on BigIP. BigIP changes source ip to 2.3.4.5 then sends request to server 3.4.5.6. Is that how you read it? If so, how would I configure it? iRule SNAT? Virtual Server?
- nitass
client is 172.28.24.1
virtual server is 172.28.24.10 snat is 172.28.24.10 server is 200.200.200.101this configuration will translate source 172.28.24.1 to 172.28.24.10 when sending to destination 200.200.200.101
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } source 0.0.0.0/0 source-address-translation { pool snat-172.28.24.10 type snat } vs-index 32 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snatpool snat-172.28.24.10 ltm snatpool snat-172.28.24.10 { members { 172.28.24.10 } } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:07:25.877058 IP 172.28.24.1.42606 > 172.28.24.10.80: S 1103785526:1103785526(0) win 5840 in slot1/tmm0 lis= 06:07:25.877207 IP 172.28.24.10.42606 > 200.200.200.101.80: S 1103785526:1103785526(0) win 5840 out slot1/tmm0 lis=/Common/bar - nitass
this is snat list example.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { fastL4 { } } source 0.0.0.0/0 vs-index 32 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm snat snat-172.28.24.10 ltm snat snat-172.28.24.10 { origins { 172.28.24.1/32 { } } translation /Common/172.28.24.10 } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 06:10:36.169966 IP 172.28.24.1.42607 > 172.28.24.10.80: S 2894379379:2894379379(0) win 5840 in slot1/tmm1 lis= 06:10:36.170015 IP 172.28.24.10.42607 > 200.200.200.101.80: S 2894379379:2894379379(0) win 5840 out slot1/tmm1 lis=/Common/bar - David_R__Barsti
Here's what it now looks like:
ltm snat-translation /Common/2.3.4.5 { address 2.3.4.5 inherited-traffic-group true traffic-group /Common/traffic-group-1 }
ltm snatpool /Common/snat-2.3.4.5 { members { /Common/2.3.4.5 } }
ltm virtual /Common/bar { destination /Common/2.3.4.5:0 ip-protocol tcp mask 255.255.255.255 pool /Common/foo profiles { /Common/tcp { } } source 0.0.0.0/0 source-address-translation { pool /Common/snat-2.3.4.5 type snat } translate-address enabled translate-port disabled }
ltm virtual-address /Common/2.3.4.5 { address 2.3.4.5 mask 255.255.255.255 traffic-group /Common/traffic-group-1 }
ltm node /Common/3.4.5.6 { address 3.4.5.6 }
ltm pool /Common/foo { members { /Common/3.4.5.6:0 { address 3.4.5.6 } } }
Have I got everything? I still can't seem to generate traffic to the server.
- nitass
Have I got everything? I still can't seem to generate traffic to the server.
can you try tcpdump?
tcpdump -nni 0.0:nnnp -s0 -w /var/tmp/output.pcap host x.x.x.x -v x.x.x.x is client ip - David_R__Barsti
Client 172.21.123.4 (front side address 129.74.249.147) Virtual Server 129.74.5.169 Physical Server 172.19.232.215
tcpdump -nni 0.0:nnnp -s0 host 172.21.123.4 -v
tcpdump: listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 65535 bytes 15:14:48.299221 IP (tos 0x0, ttl 254, id 15554, offset 0, flags [none], proto: UDP (17), length: 94) 129.74.249.147.51583 > 129.74.5.169.1812: RADIUS, length: 66 Access Request (1), id: 0x73, Authenticator: 129dc5c74c9b2022c7f8ca1f1f17880c Username Attribute (1), length: 10, Value: dbarstis Password Attribute (2), length: 18, Value: NAS IP Address Attribute (4), length: 6, Value: 129.74.249.147 NAS Port Attribute (5), length: 6, Value: 138 NAS Port Type Attribute (61), length: 6, Value: Virtual in slot1/tmm1 lis=/Common/forward_0 flowtype=65 flowid=5700829C2300 peerid=570081C69800 conflags=4000EE4 inslot=3 inport=32 haunit=0 peerremote=00000000:00000000:0000FFFF:814A05A9 peerlocal=00000000:00000000:0000FFFF:814AF993 remoteport=1812 localport=51583 proto=17 vlan=983 15:14:48.299234 IP (tos 0x0, ttl 253, id 15554, offset 0, flags [none], proto: UDP (17), length: 94) 129.74.249.147.51583 > 129.74.5.169.1812: RADIUS, length: 66 Access Request (1), id: 0x73, Authenticator: 129dc5c74c9b2022c7f8ca1f1f17880c Username Attribute (1), length: 10, Value: dbarstis Password Attribute (2), length: 18, Value: NAS IP Address Attribute (4), length: 6, Value: 129.74.249.147 NAS Port Attribute (5), length: 6, Value: 138 NAS Port Type Attribute (61), length: 6, Value: Virtual out slot1/tmm1 lis=/Common/forward_0 flowtype=129 flowid=570081C69800 peerid=5700829C2300 conflags=4000EE4 inslot=3 inport=32 haunit=1 peerremote=00000000:00000000:0000FFFF:814AF993 peerlocal=00000000:00000000:0000FFFF:814A05A9 remoteport=51583 localport=1812 proto=17 vlan=132
- David_R__Barsti
Thought maybe traffic to RADIUS would be UDP so changed the Protocol. No luck. Looking to see if there might be a firewall issue.
- nitass
Looking to see if there might be a firewall issue.
i do not think it is firewall because you run tcpdump on bigip. we should see snat address here.
Thought maybe traffic to RADIUS would be UDP so changed the Protocol.
can you post the udp configuration?
tmsh list ltm virtual (name)by the way, the virtual server is already listening on vlan 983, isn't it?
- David_R__Barsti
ltm virtual safewordprod-v2 { destination 129.74.5.169:radius ip-protocol udp mask 255.255.255.255 pool safewordprod-v2 profiles { udp { } } source 0.0.0.0/0 source-address-translation { pool snat-129.74.5.169 type snat } vs-index 2490 }
ltm pool safewordprod-v2 { members { 172.19.232.215:radius { address 172.19.232.215 } } }
Definitely getting closer. tcpdump now shows the attempt to go to the server.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 65535 bytes 10:13:51.071434 IP 129.74.249.147.51583 > 129.74.5.169.1812: RADIUS, Access Request (1), id: 0xe6 length: 66 in slot1/tmm1 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=3 inport=32 haunit=0 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0 10:13:51.071454 IP 129.74.5.169.51583 > 172.19.232.215.1812: RADIUS, Access Request (1), id: 0xe6 length: 66 out slot1/tmm1 lis=/Common/safewordprod-v2 flowtype=128 flowid=570081DD9200 peerid=5700839D8400 conflags=4000124 inslot=3 inport=32 haunit=1 peerremote=00000000:00000000:0000FFFF:814AF993 peerlocal=00000000:00000000:0000FFFF:814A05A9 remoteport=51583 localport=1812 proto=17 vlan=132
