For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

BPetronio_11363's avatar
BPetronio_11363
Icon for Nimbostratus rankNimbostratus
Jun 22, 2010

NAT object in LC

Hi all,

 

 

Im trying to understand why it works sometimes and others doesnt.

 

 

I have 3 links in a LC.

 

A default GW route using a gw_pool in round robin loadbalance mode with the 3 ips of each link.

 

Defined a VS 0.0.0.0 with that gw_pool too.

 

 

I need that one specific server from internal networks goes out with a specific ip address from 1 link only.

 

I think the same NAT could give me the inbound traffic correctly.

 

 

 

I have done some tests, and for inbound traffic, it wotks perfectly.

 

I ping the NAT address, and the packets are beeing translated to the origin address correctly.

 

 

For outbound traffic, sometimes i could reach the outside, others dont. When i can reach the outside, the NAT is performed correctly, cause i can see the source ip on the internet server.

 

 

 

Any ideas what could be happening ?

 

How can i troubleshoot this ?

 

 

Best Regards,

 

Bruno Petrónio

 

 

 

config
design

6 Replies

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jun 22, 2010
    I'd recommend creating an iRule to SNAT your traffic on the way out so you can make sure it uses the proper link...

    I'd do something like this:

    1. Create a gateway pool with that specific link called "gw_pool_x" where x is your link

    2. Create a SNAT Pool with the NAT address from that link - let's call it "snatpool_x"

    3. Create an iRule and apply it to the VS. 

    
when CLIENT_ACCEPTED {
  if {[[IP::client_addr] equals x.x.x.x] } {
     pool gw_pool_x 
     snatpool snatpool_x  } }

    Something like that should work...
  • BPetronio_11363's avatar
    BPetronio_11363
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2010
    Thank You Chris,

     

     

    From what i have read, i cant use the same ip address on snat and nat simultaneously, and i will need to perform inbound and outbound Adress Translation.

     

     

    So for outbound i guess it was a good choice but and for inbound ?

     

     

    Just for clarify, when u mention "3. Create an iRule and apply it to the VS. 3. Create an iRule and apply it to the VS. ", you are refering to VS_Outbound (0.0.0.0), right ?

     

     

     

    Best Regards,

     

    Bruno Petrónio

     

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jun 23, 2010
    I am indeed referring to your VS_Outbound.

     

     

    I'm not sure whether you can have both a NAT and SNAT - I haven't tried it. I know you can have a SNAT with the same address as a Virtual Server though so I would expect you could do it...
  • Cspillane_18296's avatar
    Cspillane_18296
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2010
    Hello Gents,

     

     

    I just wanted to clarify that a NAT and SNAT can't share an address - the NAT needs to have a unique address. The SNAT can however share an address with a Virtual Server/SelfIP or use a seperate address.

     

     

    I hope this helps :S
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Jun 24, 2010
    Thanks for the clarification Cspillane!

     

     

    Bruno - can you help us understand the need for the inbound NAT? Since you can use SNAT with a VS, why not just use VSes instead of NATs?
  • BPetronio_11363's avatar
    BPetronio_11363
    Icon for Nimbostratus rankNimbostratus
    Jul 06, 2010
    Hello guys,

     

     

    Thank you for your feedback.

     

     

    I did implement the way you refer.

     

     

    Many thanks,

     

    Best Regards,

     

    Bruno Petrónio