For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

millencol1n_619's avatar
millencol1n_619
Icon for Nimbostratus rankNimbostratus
Aug 31, 2009

Nat - multiple networks

Hi,

 

 

i´ve a problem with nat...

 

 

i use the following setup:

 

 

internal network 10.x.x.x -> some servers out of that network are natted to 62.1.1.x and some to 62.1.2.x

 

 

the default route on the f5 is 62.1.1.1 and now i´m facing the problem that all hosts natted to 62.1.2.x have problems in setting up a valid tcpip connection. ping works but all other connections are resetted.

 

mabye someone can help me out here...

 

looks like there´s a need for source routing or something similar...

 

 

anyone can help me out here?

 

 

cheers!
config
design

4 Replies

  • Ajit_Mohan_2587's avatar
    Ajit_Mohan_2587
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2011
    I am having the same issue. below is my scenario

     

     

    Server A IP: 10.82.26.x/24 - Internal VLAN-A

     

    NAT'ed External IP: 10.82.126.x/24 - External VLAN-B

     

     

    Server B IP: 10.82.86.x/24 - Internal VLAN-C

     

    NAT'ed External IP: 10.82.186.x/24 - External VLAN-D

     

     

    Default Route on the F5 is 10.83.128.1

     

     

    Issue is I am able to ping machines in the remote datacenter from Server A and Server B, but cannot SSH / RDP to any machine. The TCP connections are being reset. Since we have multiple VLAN's per VLAN default gateway as mentioned in the article above is not an option because the source IP of the server will be the SNAT IP instead of the NAT IP.

     

     

    Any idea why NAT's won't work in multiple networks.

     

     

    Thanks

     

     

  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2011
    What device is actually replying to the ping? It may be the BigIP...Which device is actually issuing the RST?

     

     

    You can have multiple gateways, multiple vlans, etc. - that's not an issue. For a setup like this, I'd consider using forwarding virtual servers that point to a gateway pool - which can be a single address - that you care about.

     

     

    E.g. setup a virtual like 10.82.186.0:0, turn off port translation, and point that virtual to a pool with a single member of your gateway address for that particular remote network (this pool member should be listening on port zero). Also bind a source nat (snat) address to this VIP that will force the route back to BigIP on return traffic.

     

     

    Route domains may also be an option here, but I don't have much experience with them.

     

     

    -- Matt
  • Ajit_Mohan_2587's avatar
    Ajit_Mohan_2587
    Icon for Nimbostratus rankNimbostratus
    Jun 28, 2011
    Thanks Matt.

     

     

    Using the forwarding virtual server and binding a SNAT will change the source address.

     

     

    For e.g Client users access the server for management purposes using the NAT IP (in my case 10.82.186.10). Now when they are connected to the server and they try to access any other machine on their network (outgoing from LTM) the source IP should be the NAT IP 10.82.186.10. If I use a forwarding virtual server with a SNAT then the outgoing traffic will have the SNAT IP instead of the NAT IP.

     

     

    All I am trying to do is for management traffic I want to use NAT and for load balancing the servers I will create Virtual Servers.

     

     

    I was trying a couple of things and found that disabling "VLAN-Keyed Connections" fixed the TCP reset issue and I am able to access the machines using the NAT IP's. Now I am not very sure what "VLAN-Keyed Connections" option does....the documents doesn't have much information about it.

     

     

    Thanks,

     

    Ajit