inline configuration

"... Response packet from F5 to Client => SIP: ??? DIP:1.1.1.1 Instead of "???" which SIP is correct? 192.168.1.1 or 192.168.2.1? I assume and as you said previously (and I want to be) it is 192.168.1.1"

• SIP is 192.168.1.1

"(https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html) 1.1.1.1 is not configured on F5 and maybe VS 0/0 will be chosen. In other hand, this quotation does not say if it applies to first/incoming traffic or return traffic."

• Response packets are already routed back as per connections table records, not as per virtual server configurations. You certainly don't have to configure 1.1.1.1 VS to ensure response packets are routed back.

"... Response packet from F5 to Client => SIP: ??? DIP:1.1.1.1 Instead of "???" which SIP is correct? 192.168.1.1 or 192.168.2.1? I assume and as you said previously (and I want to be) it is 192.168.1.1"

• SIP is 192.168.1.1

"(https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/2.html) 1.1.1.1 is not configured on F5 and maybe VS 0/0 will be chosen. In other hand, this quotation does not say if it applies to first/incoming traffic or return traffic."

• Response packets are already routed back as per connections table records, not as per virtual server configurations. You certainly don't have to configure 1.1.1.1 VS to ensure response packets are routed back.

Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5.

yes unless you also have snat list configuration.

It is enabled only on server-vlan. If I understand correctly when the server itself is originating connection outside it will hit VS 0/0. How does this configuration applies when connection is originating from another subnet (for example behind FW) to server IP address (not VS1). Connection will be dropped/rejected? Should VS 0/0 listen on all vlans to allow such connections?

yes connection will be rejected. bigip is default deny device. to allow traffic, object listener (i.e. virtual server, snat, nat) is required.

sol9038: The order of precedence for local traffic object listeners

Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5.

yes unless you also have snat list configuration.

It is enabled only on server-vlan. If I understand correctly when the server itself is originating connection outside it will hit VS 0/0. How does this configuration applies when connection is originating from another subnet (for example behind FW) to server IP address (not VS1). Connection will be dropped/rejected? Should VS 0/0 listen on all vlans to allow such connections?

yes connection will be rejected. bigip is default deny device. to allow traffic, object listener (i.e. virtual server, snat, nat) is required.

sol9038: The order of precedence for local traffic object listeners

Hi,

I have also another question: Do I really need: loose-close enabled loose-initialization enabled configuration? Or in inline configuration when the all traffic is passing thru F5 I do not need this settings? (I think they should be enabled in nPath architecture). Please correct me if I am wrong.