For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

thomass87_91937's avatar
thomass87_91937
Icon for Nimbostratus rankNimbostratus
Oct 30, 2014

inline configuration

Hi,

 

I have configuration: NET => FW => F5 => SRV

 

I have VS1 which forwards traffic to SRV (no SNAT used, not possible to do XFF so source address of client is seen). F5 is def gw for SRV. On F5 there is also forwarding IP VS 0/0 and def route to FW. FW also have static route for SRV subnet poiting to F5.

 

Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0?

 

  1. Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5.

     

  2. If point 1 is true (so when return traffic is automatically SNATed back to VS1 IP) what determines that traffic is SNATed or not? Is it previously created session/entry for DNAT when traffic originating from Net hits VS1?

     

inline
routing
snat

26 Replies

Show More
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Oct 30, 2014

    Please paste full configuration of your 0.0.0.0/0 VS. There are many ways the routing can be done.

     

    • thomass87_91937's avatar
      thomass87_91937
      Icon for Nimbostratus rankNimbostratus
      Nov 02, 2014
      I have question regarding my VS 0/0 configuration. It is enabled only on server-vlan. If I understand correctly when the server itself is originating connection outside it will hit VS 0/0. How does this configuration applies when connection is originating from another subnet (for example behind FW) to server IP address (not VS1). Connection will be dropped/rejected? Should VS 0/0 listen on all vlans to allow such connections?
    • thomass87_91937's avatar
      thomass87_91937
      Icon for Nimbostratus rankNimbostratus
      Oct 30, 2014
      ltm virtual forward-all { destination 0.0.0.0%8:any ip-forward mask any profiles { fastL4-test { } } source 0.0.0.0%8/0 translate-address disabled translate-port disabled vlans { server-vlan } vlans-enabled vs-index 307 } ltm profile fastl4 fastL4-test { app-service none defaults-from fastL4 loose-close enabled loose-initialization enabled reset-on-timeout disabled }
  • thomass87_91937's avatar
    thomass87_91937
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2014
    There is mistake in question numbers. I do not know why I cannot edit it. Before "Second example" should be "2" and of course instead of 2 should be 3