Forum Discussion
zhu_shaofeng_14
Nimbostratus
NimbostratusNAT and VS Forwarding Issue
Hi:
I have one server need to access WAN and Internet, I create one VS Forwarding for WAN and One NAT for Internet, The LTM has three interface, one for internal, one for WAN, and one for Internet connection.
I enable VS Forwarding on Internal interface, enable NAT on Internet Interface Routing configuration are all correct.
But the problem is when the server need access to the WAN network, the NAT always translate the IP to the public IP address, even I never enable the NAT on the WAN interface.
But When I delete the NAT, the server can access the WAN correctly.
My OS version is BIG-IP 11.3.0 Build 3138.0 Hotfix HF7. Anybody face the same problem?
e.g.
nat root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1 ltm nat nat1 { inherited-traffic-group true originating-address 200.200.200.101 traffic-group traffic-group-1 translation-address 172.28.20.15 vlans { internal } vlans-enabled } virtual server root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard ltm virtual wildcard { destination any:0 mask any profiles { fastL4 { } } rules { myrule } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { internal } vlans-enabled vs-index 26 } irule to send wan and internet to corresponding gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } { pool wangw } else { pool netgw } } } wan gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw ltm pool wangw { allow-nat no members { 172.28.20.16:0 { address 172.28.20.16 } } } internet gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw ltm pool netgw { members { 172.28.20.254:0 { address 172.28.20.254 } } } internet traffic (source ip is nated to 172.28.20.15) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 wan traffic (source ip is not nated) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840
nitassEmployee
do you know all wan address server has to access?
if yes, you may create two virtual servers; one is network virtual server for wan and the other one is wildcard virtual server for internet. then enable snat automap/snatpool under the wildcard virtual server (do not use snat list).
zhu_shaofeng_14Yes, I know all the wan servers need to be accessed.
But Must I create two VS?
One VS for Forwarding (WAN), One NAT (Internet) will not work?
Please correct me, thanks
- nitass
But Must I create two VS?
One VS for Forwarding (WAN), One NAT (Internet) will not work?nat creates both source and destination listener objects. so, it will be applied to wan traffic.
sol9038: The order of precedence for local traffic object listeners
http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.htmlto disable nat for wan traffic, you can disable allow-nat under wan gateway pool configuration.
nitass_89166Noctilucent
e.g.
nat root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1 ltm nat nat1 { inherited-traffic-group true originating-address 200.200.200.101 traffic-group traffic-group-1 translation-address 172.28.20.15 vlans { internal } vlans-enabled } virtual server root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard ltm virtual wildcard { destination any:0 mask any profiles { fastL4 { } } rules { myrule } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { internal } vlans-enabled vs-index 26 } irule to send wan and internet to corresponding gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } { pool wangw } else { pool netgw } } } wan gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw ltm pool wangw { allow-nat no members { 172.28.20.16:0 { address 172.28.20.16 } } } internet gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw ltm pool netgw { members { 172.28.20.254:0 { address 172.28.20.254 } } } internet traffic (source ip is nated to 172.28.20.15) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 wan traffic (source ip is not nated) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840- zhu_shaofeng_14Hi Nitass: Thanks a lot ! It works!
- nitass
e.g.
nat root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1 ltm nat nat1 { inherited-traffic-group true originating-address 200.200.200.101 traffic-group traffic-group-1 translation-address 172.28.20.15 vlans { internal } vlans-enabled } virtual server root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard ltm virtual wildcard { destination any:0 mask any profiles { fastL4 { } } rules { myrule } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { internal } vlans-enabled vs-index 26 } irule to send wan and internet to corresponding gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } { pool wangw } else { pool netgw } } } wan gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw ltm pool wangw { allow-nat no members { 172.28.20.16:0 { address 172.28.20.16 } } } internet gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw ltm pool netgw { members { 172.28.20.254:0 { address 172.28.20.254 } } } internet traffic (source ip is nated to 172.28.20.15) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 wan traffic (source ip is not nated) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840- zhu_shaofeng_14Hi Nitass: Thanks a lot ! It works!