For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

zhu_shaofeng_14's avatar
zhu_shaofeng_14
Icon for Nimbostratus rankNimbostratus
Dec 25, 2013
Solved

NAT and VS Forwarding Issue

Hi:   I have one server need to access WAN and Internet, I create one VS Forwarding for WAN and One NAT for Internet, The LTM has three interface, one for internal, one for WAN, and one for Intern...
management
TMSH
  • nitass_89166's avatar
    nitass_89166
    Dec 25, 2013

    e.g.

     nat

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
ltm nat nat1 {
    inherited-traffic-group true
    originating-address 200.200.200.101
    traffic-group traffic-group-1
    translation-address 172.28.20.15
    vlans {
        internal
    }
    vlans-enabled
}

 virtual server

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
ltm virtual wildcard {
    destination any:0
    mask any
    profiles {
        fastL4 { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 26
}

 irule to send wan and internet to corresponding gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
    pool wangw
  } else {
    pool netgw
  }
}
}

 wan gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
ltm pool wangw {
    allow-nat no
    members {
        172.28.20.16:0 {
            address 172.28.20.16
        }
    }
}

 internet gateway

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
ltm pool netgw {
    members {
        172.28.20.254:0 {
            address 172.28.20.254
        }
    }
}

 internet traffic (source ip is nated to 172.28.20.15)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 
08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 

 wan traffic (source ip is not nated)

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 
08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 25, 2013

But Must I create two VS?

 

One VS for Forwarding (WAN), One NAT (Internet) will not work?

 

nat creates both source and destination listener objects. so, it will be applied to wan traffic.

 

sol9038: The order of precedence for local traffic object listeners

 

http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9038.html

 

to disable nat for wan traffic, you can disable allow-nat under wan gateway pool configuration.