Forum Discussion
Kraig_52305
Nimbostratus
NimbostratusNAT Pool Servers Outbound Internet Traffic
I have an Microsoft OCS server in a DMZ that normally just has imbound connections and replies back. VIP 1.1.1.1 and two pool servers 172.16.1.1 and 172.16.1.2. The problem that I have is that I need to NAT the 172.16.1. addresses when they build a connection out to the internet. Right now the real server IP is being used which would not be routable on the internet.
I was hoping that I could come up with an iRule that would NAT certain IP's (internet addresses) and not NAT my internal address space.
Any suggestions how to handle this?
7 Replies
- The_BhattmanYou could create a 0.0.0.0:0 wildcard forwarding virtual server, create a snatpool that contains the possible public ip addresses that 172.16.1.x can use and apply that irule to the wildcard forwarding virtual server.
Here is an example of what the code could bewhen CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 172.16.1.0/255.255.255.0] } { snatpool internet_nat } }
I hope this helps,
CB 
harshpal_35434can't we enable the outbound NAT with out the Irule ???- nitass
Employee
can't we enable the outbound NAT with out the Irule ??? you can use snat object as well. anyway, wildcard virtual server with irule may give you more granular control.[root@ve1023:Active] config b snat outbound_snat list snat outbound_snat { translation 1.2.3.4 origins 172.16.1.0/24 vlans dmz enable } - harshpal_35434Thanks Nitass,
i have try that one but it didn't work for me ,probably i would have missed some thing .
one question here do we need to attached the SNAT object somewhere in VS or Pool or on Member (in case of outbound NAT ) ?
i have try that feature in Radware but never in F5 ,i will have this tested again .
Regrads
Harsh - harshpal_35434
Nitaas,
Now i am able to setup ,SNAT for outbond . i can acess the internet from Server but i do see that i cant ping 4.2.2.2 or any othere internet IP ,i understand it is because of the property of SNAT as it do port translation ,Correct me is i am wrong .
But i undersand there can be a port limitation on bigip when we use SNAT for outbond .For an example if i am using SNAT where we need to loadbalance DNS servers which uses outbond SNAT to resolve DNS query .
is there any way we we can fine tune value for number of ports in bigip ?
=================
[root@localhost:Active] config b snat outbound_snat list
snat outbound_snat
{
translation 192.168.1.201
origins 192.168.1.0
vlans external enable
}
[root@localhost:Active] config b self show
SELF 192.168.1.40 mask 255.255.255.0
| VLAN external floating disable
SELF 192.168.3.1 mask 255.255.255.0
| VLAN internal floating disable
===================
Regards
Harshpal - nitasscan acess the internet from Server but i do see that i cant ping 4.2.2.2 or any othere internet IP ,i understand it is because of the property of SNAT as it do port translation ,Correct me is i am wrong .there is setting named "snat packet forwarding" at system > configuration > local traffic > general.
But i undersand there can be a port limitation on bigip when we use SNAT for outbond .For an example if i am using SNAT where we need to loadbalance DNS servers which uses outbond SNAT to resolve DNS query .you can use snatpool instead of only one translation address.
sol7820: Overview of SNAT features
http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html
hope this helps. - harshpal_35434Thanks a lot all this worked for me .Awesome concept and top technology .
Cheers
Harsh
