Forum Discussion
thomass87_91937
Oct 30, 2014Nimbostratus
inline configuration
Hi,
I have configuration:
NET => FW => F5 => SRV
I have VS1 which forwards traffic to SRV (no SNAT used, not possible to do XFF so source address of client is seen). F5 is def gw for SRV. O...
Hannes_Rapp
Nimbostratus
Sorry, but I'll try to answer only your first question right now. We'll come back to others once we have time, or maybe others can help.
"Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0?"
- If VS1 is from where client comes in (another VS with a pool attached), then the return traffic won't go past the VS 0/0, but it will be routed back from the same VS1. Client will see the source IP address of return packets, the same as VS1 external listener IP. Traffic will go through the VS0/0, only if the session was initiated by SRV. (E.g SRV making a DNS request to 8.8.8.8 will be routed via VS0/0, and no NAT will be applied in F5).
thomass87_91937
Oct 31, 2014Nimbostratus
Ok, maybe some example (SIP = source IP; DIP = destination IP):
Packet from net/fw to F5 VS1:80 => SIP:1.1.1.1 DIP:192.168.1.1 (192.168.1.1 is VS1)
Packet from F5 to SRV => SIP 1.1.1.1 DIP: 192.168.2.1 (no snat, 192.168.2.1 is server IP address)
Response packet from SRV to F5 => SIP:192.168.2.1 DIP:1.1.1.1
Response packet from F5 to Client => SIP: ??? DIP:1.1.1.1
Instead of "???" which SIP is correct? 192.168.1.1 or 192.168.2.1? I assume and as you said previously (and I want to be) it is 192.168.1.1
However, according to: "when Local Traffic Manager does not find a specific virtual server match for a client’s destination IP address, LTM matches the client’s destination IP address to a wildcard virtual server," (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html) 1.1.1.1 is not configured on F5 and maybe VS 0/0 will be chosen. In other hand, this quotation does not say if it applies to first/incoming traffic or return traffic.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects