Forum Discussion
zhu_shaofeng_14
Nimbostratus
NimbostratusNAT and VS Forwarding Issue
Hi:
I have one server need to access WAN and Internet, I create one VS Forwarding for WAN and One NAT for Internet,
The LTM has three interface, one for internal, one for WAN, and one for Intern...
e.g.
nat root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1 ltm nat nat1 { inherited-traffic-group true originating-address 200.200.200.101 traffic-group traffic-group-1 translation-address 172.28.20.15 vlans { internal } vlans-enabled } virtual server root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard ltm virtual wildcard { destination any:0 mask any profiles { fastL4 { } } rules { myrule } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { internal } vlans-enabled vs-index 26 } irule to send wan and internet to corresponding gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } { pool wangw } else { pool netgw } } } wan gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw ltm pool wangw { allow-nat no members { 172.28.20.16:0 { address 172.28.20.16 } } } internet gateway root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw ltm pool netgw { members { 172.28.20.254:0 { address 172.28.20.254 } } } internet traffic (source ip is nated to 172.28.20.15) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840 wan traffic (source ip is not nated) [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes 08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840 08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840
nitass
Employee
Employeee.g.
nat
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm nat nat1
ltm nat nat1 {
inherited-traffic-group true
originating-address 200.200.200.101
traffic-group traffic-group-1
translation-address 172.28.20.15
vlans {
internal
}
vlans-enabled
}
virtual server
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual wildcard
ltm virtual wildcard {
destination any:0
mask any
profiles {
fastL4 { }
}
rules {
myrule
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
internal
}
vlans-enabled
vs-index 26
}
irule to send wan and internet to corresponding gateway
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
if { [IP::addr [IP::local_addr] equals 172.28.26.0/24] } {
pool wangw
} else {
pool netgw
}
}
}
wan gateway
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool wangw
ltm pool wangw {
allow-nat no
members {
172.28.20.16:0 {
address 172.28.20.16
}
}
}
internet gateway
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool netgw
ltm pool netgw {
members {
172.28.20.254:0 {
address 172.28.20.254
}
}
}
internet traffic (source ip is nated to 172.28.20.15)
[root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:39:20.714137 IP 200.200.200.101.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840
08:39:20.714270 IP 172.28.20.15.46442 > 192.168.206.171.80: S 1529194290:1529194290(0) win 5840
wan traffic (source ip is not nated)
[root@ve11a:Active:In Sync] config tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 96 bytes
08:40:15.302032 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840
08:40:15.304022 IP 200.200.200.101.59834 > 172.28.26.70.80: S 3450625808:3450625808(0) win 5840
zhu_shaofeng_14Hi Nitass: Thanks a lot ! It works!