Forum Discussion

DMB_19518's avatar
DMB_19518
Icon for Altocumulus rankAltocumulus
Sep 19, 2016

LTM: Configuring outgoing (passive) FTP connections

I have a number of internal nodes behind a LTM (11.4.1 HF3) using non-routable IP addresses. These nodes need to connect to external FTP servers to retrieve data from them using passive FTP.

 

The only thing I was planning to do then was to configure a SNAT on the LTM to permit those internal nodes to get a routable IP address so that they can reach the FTP destination for the control and data port connections.

 

The question I have is if configuring a SNAT is all I need to do, or if there is any sort of limitation in the F5 unit that requires doing something else.

 

The reason for the question is because I found some links in support.f5.com that seem to tell something is not ok with FTP but i still dont get what is wrong with the setup i was planning for my specific case.

 

Thanks in advance!

 

application delivery
BIG-IP
LTM
  • DMB_19518's avatar
    DMB_19518
    Mar 08, 2017

    Just to finish this topic, i have configured a SNAT only and FTP works perfectly for outgoing connections initiated from members in the internal realm.

    For reference, this is the SW build I ended up using:

    Main Package
  Product  BIG-IP
  Version  11.4.1
  Build    711.0
  Edition  Hotfix HF11
  Date     Tue Aug 30 12:18:51 PDT 2016
  • James_Thomson's avatar
    James_Thomson
    Icon for Employee rankEmployee
    Sep 26, 2016

    I believe your best bet is to configure a 0.0.0.0/0 virtual server of type Standard with an FTP profile assigned to it and no pool and with your SNAT.

     

    The FTP profile is the Application Layer Gateway that will allow the dynamic FTP ports to be opened up appropriately.

     

    • DMB_19518's avatar
      DMB_19518
      Icon for Altocumulus rankAltocumulus
      Dec 13, 2016

      Thanks a lot for the answer! However, the FTP is outgoing from the internal nodes to the outside, so there is no need to configure a standard VS as i will not be balancing over any member or pool. I simply want FTPS connections going out and use the LTM to provide a routable IP address.

       

      Sorry if this was not clear in the description.

       

  • James_Thomson_1's avatar
    James_Thomson_1
    Historic F5 Account
    Sep 26, 2016

    I believe your best bet is to configure a 0.0.0.0/0 virtual server of type Standard with an FTP profile assigned to it and no pool and with your SNAT.

     

    The FTP profile is the Application Layer Gateway that will allow the dynamic FTP ports to be opened up appropriately.

     

    • DMB_19518's avatar
      DMB_19518
      Icon for Altocumulus rankAltocumulus
      Dec 13, 2016

      Thanks a lot for the answer! However, the FTP is outgoing from the internal nodes to the outside, so there is no need to configure a standard VS as i will not be balancing over any member or pool. I simply want FTPS connections going out and use the LTM to provide a routable IP address.

       

      Sorry if this was not clear in the description.

       

  • DMB_19518's avatar
    DMB_19518
    Icon for Altocumulus rankAltocumulus
    Mar 08, 2017

    Just to finish this topic, i have configured a SNAT only and FTP works perfectly for outgoing connections initiated from members in the internal realm.

    For reference, this is the SW build I ended up using:

    Main Package
  Product  BIG-IP
  Version  11.4.1
  Build    711.0
  Edition  Hotfix HF11
  Date     Tue Aug 30 12:18:51 PDT 2016