Forum Discussion
Jeepha_42175
Nimbostratus
NimbostratusNewbie Question. Big IP as Gateway v4.5
Hello,
I have recently taken over for another technician that was 'excused' due not getting projects completed. One of my tasks is implementing this F5 to load balance two https servers.
This is a LTM 2400 series running 4.5. It has been sitting in the rack since it was purchased new without being configured. (One of his unfinished projects). So it is currently out of support, and updating the kernel is probably not going to happen. It is pretty simple what I need to do, and so far all is going well except I cannot get my nodes to browse the internet. Here is what I have done so far:
Big ip has two enabled interfaces, one on the outside world with a public IP, and the other with a local ip. I have two web servers on the internal IP network that need to be accessed by the world. They both are using the internal interface of the BIG IP as their gateways. they are able to resolve DNS, however they cannot browse accross the BigIP. I have created a virtual server and can effectivly browse the sites on the Nodes from the Internet via the virtual server.
The problem I am having is accessing the Internet from the web servers. I have tried creating a wildcard forwarding server with ip 0.0.0.0/0.0.0.0, but still no dice. Here are the settings:
Virtual Server 0.0.0.0:0
Status ENABLED
Virtual Server Address Status: Enabled
Enable translation: NO
Enable Reset on Service Down: No
Enable Connection Rebind: NO
Enable ARP: YES
Enable Reset on Timeout:YES
Disable FasFlow Acceleration: NO
Connection Limit: 0
Last hop pool: choose
No disabled LAnS
Resources Forwarding
I have been reading posts all day that refer to Creating a FastL4 Profile...but I dont believe that option is available to me on this version. I am sure I am missing something very basic, but the solution eludes me. Please give me a hand if you can.
Thank you Very much
Curtis
strongarm_46960Curtis, There far too many variables at play here, its hard to point at one particular entity.
First of all, signup for & join askf5, then download & read this admin guide thoroughly ⇒ https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/pg_IPswitch_942.html , and other related searched manual.
After reading it, then ask your manager politely explaining the huge task ahead gathered from the manual, that the requested job requires a new set of skill and therefore requires them to sponsor you on a Websecurity & F5 LTM course.
FastL4 Profile is not your problem.
Incidentally, Curtis, why are you trying to access the Internet from the web servers? Instead, you should be trying to access your web-servers from the Net?
Not a good idea security wise opening up your network with wild cards.
hoolioCirrostratus
Without addressing potential security issues, from a technical perspective you should be able to pass this traffic if you configure SNAT on the wildcard VIP. This ensures BIG-IP performs source address translation on outbound requests.
Aaron
Jeepha_42175
Thank you for your reply. I apologize for not getting back to you sooner, but I had several projects that came up with priority.
I have two unroutable internal web servers that need to get out to the Internet. Inbound works fine through the F5. The external interface of the F5 is sitting on the Internet and not firewalled.
I have tried the SNAT solution you outlined. I created a new SNAT:
Translation Address: AUTOMAP
Enable ARP: Checked
Origin Address:
10.100.20.61
10.100.20.62
Netmask not defined
Origin Vlan: internal
Disabled Vlans: None
I am confused on this suggestion from you:
"Note that if you do that you have to check the Allow SNAT checkbox on that self-ip definition as well."
I am not sure where I am to apply this.
Thank you for your help.
Curtis- Jeepha_42175Thank you very much for your help.
This is all working perfectly now.
Thanks again,
Curtis