Forum Discussion

Kraig_52305's avatar
Kraig_52305
Icon for Nimbostratus rankNimbostratus
Jul 29, 2009

NAT Pool Servers Outbound Internet Traffic

I have an Microsoft OCS server in a DMZ that normally just has imbound connections and replies back. VIP 1.1.1.1 and two pool servers 172.16.1.1 and 172.16.1.2. The problem that I have is that I need to NAT the 172.16.1. addresses when they build a connection out to the internet. Right now the real server IP is being used which would not be routable on the internet.

 

 

I was hoping that I could come up with an iRule that would NAT certain IP's (internet addresses) and not NAT my internal address space.

 

 

Any suggestions how to handle this?
  • You could create a 0.0.0.0:0 wildcard forwarding virtual server, create a snatpool that contains the possible public ip addresses that 172.16.1.x can use and apply that irule to the wildcard forwarding virtual server.

     

     

    Here is an example of what the code could be

     

     

     
      when CLIENT_ACCEPTED { 
       if { [IP::addr [IP::remote_addr] equals 172.16.1.0/255.255.255.0] } {  
             snatpool internet_nat  
          } 
     } 
     

     

     

    I hope this helps,

     

    CB

     

     

  • can't we enable the outbound NAT with out the Irule ??? you can use snat object as well. anyway, wildcard virtual server with irule may give you more granular control.

    [root@ve1023:Active] config  b snat outbound_snat list
    snat outbound_snat {
       translation 1.2.3.4
       origins 172.16.1.0/24
       vlans dmz enable
    }
    
  • Thanks Nitass,

     

     

    i have try that one but it didn't work for me ,probably i would have missed some thing .

     

     

    one question here do we need to attached the SNAT object somewhere in VS or Pool or on Member (in case of outbound NAT ) ?

     

     

    i have try that feature in Radware but never in F5 ,i will have this tested again .

     

     

     

    Regrads

     

    Harsh

     

  • Nitaas,

     

     

    Now i am able to setup ,SNAT for outbond . i can acess the internet from Server but i do see that i cant ping 4.2.2.2 or any othere internet IP ,i understand it is because of the property of SNAT as it do port translation ,Correct me is i am wrong .

     

     

    But i undersand there can be a port limitation on bigip when we use SNAT for outbond .For an example if i am using SNAT where we need to loadbalance DNS servers which uses outbond SNAT to resolve DNS query .

     

     

    is there any way we we can fine tune value for number of ports in bigip ?

     

    =================

     

    [root@localhost:Active] config b snat outbound_snat list

     

    snat outbound_snat

     

    {

     

    translation 192.168.1.201

     

    origins 192.168.1.0

     

    vlans external enable

     

     

    }

     

     

    [root@localhost:Active] config b self show

     

    SELF 192.168.1.40 mask 255.255.255.0

     

    | VLAN external floating disable

     

    SELF 192.168.3.1 mask 255.255.255.0

     

    | VLAN internal floating disable

     

     

    ===================

     

    Regards

     

    Harshpal

     

  • can acess the internet from Server but i do see that i cant ping 4.2.2.2 or any othere internet IP ,i understand it is because of the property of SNAT as it do port translation ,Correct me is i am wrong .there is setting named "snat packet forwarding" at system > configuration > local traffic > general.

     

     

    But i undersand there can be a port limitation on bigip when we use SNAT for outbond .For an example if i am using SNAT where we need to loadbalance DNS servers which uses outbond SNAT to resolve DNS query .you can use snatpool instead of only one translation address.

     

     

    sol7820: Overview of SNAT features

     

    http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html

     

     

    hope this helps.
  • Thanks a lot all this worked for me .Awesome concept and top technology .

     

     

     

    Cheers

     

    Harsh