For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Aug 22, 2007

Load balancing a pool across geographic locations

We are attempting to setup a pool that will be load balanced between the US and Singapore in a DMZ at our 2 sites. On the US side we have setup a route for the Asia traffic to get out of our firewall but we need to setup a SNAT for it to get back. We have setup an extra VLAN on the internal side for this project that we can use. The problem is that if we enable a SNAT on the external side (meaning the outgoing traffic to Asia) is SNAT'd then all traffic on the external side gets SNAT'd which breaks alot of things.

 

 

Question, is there a way to apply a SNAT to only 1 IP (the Asia IP)? or should we be using a NAT or maybe an iRule? We are scratching our heads so any help would be appreciated.

 

 

Thanks,

 

Kevin
config
design

5 Replies

  • Diego_19194's avatar
    Diego_19194
    Icon for Nimbostratus rankNimbostratus
    Aug 22, 2007
    Have u configured a snatpool?

     

     

    You can do a snatpool and specify there which are the members.

     

    For example:

     

    snatpool snat-Pool-Test {

     

    member 192.168.19.100 192.168.19.101

     

    }

     

     

    And in each virtual server call to this snatpool like:

     

    virtual SNAT-example {

     

    destination any:any

     

    snatpool snat-Pool-Test

     

    vlans default_1 default_2 enable

     

    }

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Aug 24, 2007
    Sure, you can create an iRule to SNAT only traffic bound for the remote server address:
    when LB_SELECTED {
   act only on connections going to remote servers
  if {[IP::addr [IP::server_addr] == 1.2.3.4]}{
     snat to local address
    snat 4.3.2.1
  }
}

    HTH

    /deb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Aug 24, 2007
    Better yet, if you enable SNAT automap on the selfIP on the egress vlan for that traffic, you can use "snat automap" instead:
    when LB_SELECTED {
   act only on connections going to remote servers
  if {[IP::addr [IP::server_addr] == 1.2.3.4]}{
     snat to local address
    snat automap
  } else {
    snat none
}

    The "snat none" action is required for non-matching traffic since automap will take effect for all traffic by default.

    /deb
  • Kevin_Nail's avatar
    Kevin_Nail
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2007
    Many thanks,

     

     

    That looks a whole lot simpler than the ideas we were coming up with. By egress VLAN, I assume you mean the VLAN the traffic came in on?

     

     

     

    Kevin
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Sep 18, 2007
    Egress VLAN would be the VLAN on which the packet leaves LTM, with the goal of forcing response traffic to return via that interface/VLAN.

     

     

    /d