Forum Discussion
Eric_Watters_25
Nimbostratus
NimbostratusOne For One Packet Forward Based On Original Dest IP
Ok.......I really didn't know how to title this one. I currently have an Enterprise Network with PIX 535's Terminating Firewall to Firewall VPN connections from remote offices. There is a pair of BIG IP's running 4.5 ptf3 on the Enterprise Network. I have a separate DMZ environment. PIX 535's sitting outside a pair of BIG IP's running 9.0.5. Because of the PIXs design of not forwarding traffic out the same interface on which the traffic was rec'd, remote offices need their own VPN connection to the DMZ environment to access resources on that LAN. It is a lot of administration. I was hopeful that I could have the remote offices route their traffic to a new subnet when trying to talk to the DMZ environment and have the BIG IP say hey......this packet is destined for 10.1.1.1 I need to forward it to 192.168.1.1.......this packet is destined for 10.1.1.2 I need to send this packet to 192.168.1.2 etc etc. This would enable me to tear down all the VPN connections between the remote offices and the DMZ Firewalls. I know I could do this with a Virtual Servers pointed to one member pools, but that is a lot of configuring and any better solution than all the various VPN connections to the DMZ Firewalls to begin with.
Thanks in advance for your help.
Eric Watters
Atlanta, Ga.
- Eric,
there is unfortunately no way how to do automatic one2one address translation on BIG-IP v4.x without having each original and translated address listed in the configuration (either as virtual server and pool member, or nat origin and translation address). The showstopper is that there is no way how to pass destination address to functions like getfield or findstr as a string (as opposed to binary).
You can easily implement this feature (and much more) with iRules in BIG-IP v9.x.
