Forum Discussion

Korai_331784's avatar
Korai_331784
Icon for Altostratus rankAltostratus
Sep 13, 2018

Inside Server Internet Access through F5

Hi,

 

I have a requirement to allow internet/outside access to one of our internal server. I am following below steps. Please correct me if i am missing anything.

 

Server IP Needs Outside/Internet access : A.B.C.D

 

1 - Configure IP Forwarding Virtual Server on F5 Node 2 - Set destination address as 0.0.0.0/0 on VS 3 - Set source address as A.B.C.D on VS (server IP needs internet access) 4 - Configure SNAT Pool with public IP and assign to virtual Server 5 - Configure Pool member of server needs Internet access 6 - Attach pool member to virtual Server

 

BIG-IP
cloud
LTM
security
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Sep 13, 2018

    Forwarding virtual servers don't have pool members but otherwise, yes.

     

    If you wanted to be security minded then you could just open TCP/80 and TCP/443 ( and possibly UDP/53, for DNS ).

     

    The other way that you can do it is to configure the F5 as an explicit proxy ( standard VS with modified HTTP profile and DNS resolver ) and set that as the proxy in the server.

     

    As with all things F5, you can do it a million ways depending on what you want.

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 13, 2018

    Hi,

    • First of you have to set the default GW of your internal server to F5 (Int Interface, Floating if it's a cluster or self if it's a standalone)

    • create a VS (Forwarding (IP)) with 0.0.0.0:*

    in your vs set:

    translate-address disabled
translate-port disabled
    • If necessary, you can also configure a secure network address translation (SNAT) pool or enable SNAT automap to translate the source address. You may have to do this when forwarding traffic from RFC1918-addressed hosts over publicly routable networks.

    So you have to set snat automap in order to avoir asymetric routing and retrieve ext ip.

    More, you don't need to set a pool, IP forwarding FW the traffic to the destination IP address that is specified in the request rather than load balancing the traffic to a pool.

    for more information:

    https://support.f5.com/csp/article/K7595

    Let me know if you need more details.

    Just for information you have auther possibility to do it, example with a standard vs and pool...

    Regards,