Forum Discussion

zhu_shaofeng_14's avatar
zhu_shaofeng_14
Icon for Nimbostratus rankNimbostratus
Dec 25, 2013

NAT and VS Forwarding Issue

Hi:

 

I have one server need to access WAN and Internet, I create one VS Forwarding for WAN and One NAT for Internet, The LTM has three interface, one for internal, one for WAN, and one for Internet connection.

 

I enable VS Forwarding on Internal interface, enable NAT on Internet Interface Routing configuration are all correct.

 

But the problem is when the server need access to the WAN network, the NAT always translate the IP to the public IP address, even I never enable the NAT on the WAN interface.

 

But When I delete the NAT, the server can access the WAN correctly.

 

My OS version is BIG-IP 11.3.0 Build 3138.0 Hotfix HF7. Anybody face the same problem?

 

  • e.g.

     nat
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
    ltm nat nat1 {
        inherited-traffic-group true
        originating-address 200.200.200.101
        traffic-group traffic-group-1
        translation-address 172.28.20.15
        vlans {
            internal
        }
        vlans-enabled
    }
    
     virtual server
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
    ltm virtual wildcard {
        destination any:0
        mask any
        profiles {
            fastL4 { }
        }
        rules {
            myrule
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vlans {
            internal
        }
        vlans-enabled
        vs-index 26
    }
    
     irule to send wan and internet to corresponding gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when CLIENT_ACCEPTED {
      if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
        pool wangw
      } else {
        pool netgw
      }
    }
    }
    
     wan gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
    ltm pool wangw {
        allow-nat no
        members {
            172.28.20.16:0 {
                address 172.28.20.16
            }
        }
    }
    
     internet gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
    ltm pool netgw {
        members {
            172.28.20.254:0 {
                address 172.28.20.254
            }
        }
    }
    
     internet traffic (source ip is nated to 172.28.20.15)
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
    08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
    08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
    
     wan traffic (source ip is not nated)
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
    08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
    08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
    

7 Replies

  • do you know all wan address server has to access?

     

    if yes, you may create two virtual servers; one is network virtual server for wan and the other one is wildcard virtual server for internet. then enable snat automap/snatpool under the wildcard virtual server (do not use snat list).

     

  • Yes, I know all the wan servers need to be accessed.

     

    But Must I create two VS?

     

    One VS for Forwarding (WAN), One NAT (Internet) will not work?

     

    Please correct me, thanks

     

  • But Must I create two VS?

     

    One VS for Forwarding (WAN), One NAT (Internet) will not work?

     

    nat creates both source and destination listener objects. so, it will be applied to wan traffic.

     

    sol9038: The order of precedence for local traffic object listeners

     

    http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html

     

    to disable nat for wan traffic, you can disable allow-nat under wan gateway pool configuration.

     

  • e.g.

     nat
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
    ltm nat nat1 {
        inherited-traffic-group true
        originating-address 200.200.200.101
        traffic-group traffic-group-1
        translation-address 172.28.20.15
        vlans {
            internal
        }
        vlans-enabled
    }
    
     virtual server
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
    ltm virtual wildcard {
        destination any:0
        mask any
        profiles {
            fastL4 { }
        }
        rules {
            myrule
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vlans {
            internal
        }
        vlans-enabled
        vs-index 26
    }
    
     irule to send wan and internet to corresponding gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when CLIENT_ACCEPTED {
      if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
        pool wangw
      } else {
        pool netgw
      }
    }
    }
    
     wan gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
    ltm pool wangw {
        allow-nat no
        members {
            172.28.20.16:0 {
                address 172.28.20.16
            }
        }
    }
    
     internet gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
    ltm pool netgw {
        members {
            172.28.20.254:0 {
                address 172.28.20.254
            }
        }
    }
    
     internet traffic (source ip is nated to 172.28.20.15)
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
    08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
    08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
    
     wan traffic (source ip is not nated)
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
    08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
    08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
    
  • e.g.

     nat
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
    ltm nat nat1 {
        inherited-traffic-group true
        originating-address 200.200.200.101
        traffic-group traffic-group-1
        translation-address 172.28.20.15
        vlans {
            internal
        }
        vlans-enabled
    }
    
     virtual server
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
    ltm virtual wildcard {
        destination any:0
        mask any
        profiles {
            fastL4 { }
        }
        rules {
            myrule
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vlans {
            internal
        }
        vlans-enabled
        vs-index 26
    }
    
     irule to send wan and internet to corresponding gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when CLIENT_ACCEPTED {
      if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
        pool wangw
      } else {
        pool netgw
      }
    }
    }
    
     wan gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
    ltm pool wangw {
        allow-nat no
        members {
            172.28.20.16:0 {
                address 172.28.20.16
            }
        }
    }
    
     internet gateway
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
    ltm pool netgw {
        members {
            172.28.20.254:0 {
                address 172.28.20.254
            }
        }
    }
    
     internet traffic (source ip is nated to 172.28.20.15)
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
    08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
    08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
    
     wan traffic (source ip is not nated)
    
    [root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
    08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
    08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840