Forum Discussion

zhu_shaofeng_14's avatar
zhu_shaofeng_14
Icon for Nimbostratus rankNimbostratus
Dec 25, 2013

NAT and VS Forwarding Issue

Hi:   I have one server need to access WAN and Internet, I create one VS Forwarding for WAN and One NAT for Internet, The LTM has three interface, one for internal, one for WAN, and one for Intern...
management
TMSH
  • nitass_89166's avatar
    nitass_89166
    Dec 25, 2013

    e.g.

     nat

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
ltm nat nat1 {
    inherited-traffic-group true
    originating-address 200.200.200.101
    traffic-group traffic-group-1
    translation-address 172.28.20.15
    vlans {
        internal
    }
    vlans-enabled
}

 virtual server

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
ltm virtual wildcard {
    destination any:0
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 26
}

 irule to send wan and internet to corresponding gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
    pool wangw
  } else {
    pool netgw
  }
}
}

 wan gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
ltm pool wangw {
    allow-nat no
    members {
        172.28.20.16:0 {
            address 172.28.20.16
        }
    }
}

 internet gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
ltm pool netgw {
    members {
        172.28.20.254:0 {
            address 172.28.20.254
        }
    }
}

 internet traffic (source ip is nated to 172.28.20.15)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 

 wan traffic (source ip is not nated)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 25, 2013

do you know all wan address server has to access?

 

if yes, you may create two virtual servers; one is network virtual server for wan and the other one is wildcard virtual server for internet. then enable snat automap/snatpool under the wildcard virtual server (do not use snat list).