Forum Discussion

agriesser's avatar
agriesser
Icon for Nimbostratus rankNimbostratus
Apr 07, 2014

NAT Exemption / Next-Hop Routing

Hey there,

 

I got a tricky situation here, let me try to outline it as simple as possible. I do have a BigIP LTM running 10.2.4HF7 here which has one Uplink-VLAN (public ip space), several internal VLANs (private ip space divided up into /24s) and one link VLAN which goes directly to a Cisco ASA firewall used for remote dialin and IPSEC site2site connections.

 

I'd like to have local connections (from one VLAN to the other) being routed and not NATed, that is, the source IP should stay intact, so if vlan1 wants to connect to vlan2, this should be possible and the source ip should not be changed. If the inside vlans try to access the internet, they should be NATed of course for internet access and if the inside vlans try to access a remote subnet which is behind an IPSEC site2site tunnel, the packets should also not be NATed and forwarded to the next hop which then takes care about throwing these packets into the IPSEC tunnel.

 

I've tried so many things now that I don't even recall them all, but basically, I think I have a misconception of how routing works on the BigIP.

 

Let's assume the following subnets: outside (internet facing) vlan: 110.0.0.0/24

 

inside vlans: 192.168.1.0/24 192.168.2.0/24

 

link subnet to the Cisco ASA firewall: 192.168.99.0/24

 

remote subnets: 192.168.100.0/24

 

I have added a route on the BigIP which routes traffic to 192.168.100.0/24 via 192.168.99.0/24 to specify the next hop. I've also added an automap SNAT for my internal vlans and things seemed to work just fine until I realized, that connections to the remote subnets did not keep their source IP, instead they were NATed to the ip on the link subnet (which is what automap does essentially) and thefore the packets did not find its way into the tunnel because the link subnet is not part of the IPSEC site2site tunnel configuration.

 

I've played with several irule examples I've found here in the forums but couldn't make it work, things like conditional SNAT, etc. and I think I must have a design flaw somewhere in my configuration and am hoping for some valuable input here.

 

If you have any questions, please feel free to ask. Thanks in Advance, Alex

 

application delivery
devops
iRules
LTM
network
routing
snat
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Apr 07, 2014

    routes on big-ip are just that, a forwarding table for packets to follow. the magic happens on virtual servers. So I think what you want is:

    Default forwarder 0.0.0.0/0 w/ snat automap (or snat pool with specific IP)
192.168.1.0/24 forwarder w/ vlan source of other internal vlan(s) (and maybe ipsec link if necessary), no nat
192.168.2.0/24 forwarder w /vlan source of other internal vlan(s) (and maybe ipsec link if necessary), no nat
192.168.99.0/24 forwarder w/ vlan source of internal vlan(s), no nat
  • agriesser's avatar
    agriesser
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2014

    Hi Jason,

    thanks for your response. Here's what I got so far:

    virtual address 192.168.99.0 {
   mask 255.255.255.0
}
virtual address 192.168.1.0 {
   mask 255.255.255.0
}
virtual all_subnets {
   ip forward
   snat automap
   destination any:any
   mask 0.0.0.0
}
virtual inside1-subnet {
   ip forward
   destination 192.168.1.0:any
   mask 255.255.255.0
   vlans {
      INSIDE_VLAN1
      LINKNET_ASA
   } enable
}
virtual vpn-remote-subnet {
   ip forward
   destination 192.168.99.0:any
   mask 255.255.255.0
   vlans INSIDE_VLAN1 enable
}

    Unfortunately I'm still not able to ping hosts in on the other end of the ipsec tunnel and I think my biggest problem is not being able to debug that issue properly. Are there some kind of packet inspection or debug logs or is my configuration mentioned above wrong?

  • agriesser's avatar
    agriesser
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2014

    EUREKA!

     

    I think I was a tad too fast, I have now removed the LINKNET_ASA from the inside subnet virtual server and now it seems to work - thanks a bunch! Will do some further testing and come back here if I still got problems.

     

    • agriesser's avatar
      agriesser
      Icon for Nimbostratus rankNimbostratus
      Apr 07, 2014
      Looks all good - internal traffic between the VLANs as well as traffic to the remote networks are not NATed anymore, just took some time to add all the remote subnets as virtual servers, but that's done now and working perfectly fine as it seems :) Many thanks again!