Outbound LTM with NATs

OK, so just want to share my design to see if there is any ways I could improve the design.

 

 

Environment: F5 BIG-IP LTM with three ISP.

 

Goal: Create Static NATs on LTM for the ISP which do not need to be Load-Balanced (Outbound).

 

 

LTM Design:

 

 

1 VServer Outbound_TCP

 

-- Address: 0.0.0.0 / 0.0.0.0 port 0

 

-- Type: Standard

 

-- Protocol: TCP

 

-- VLAN on Internal Network

 

-- SNAT: none

 

-- Default Pool: default_gateways (all three ISP gateways)

 

-- Persistence: Outbound (src_addr with 3600 sec and all buttons checked)

 

-- I-rule: Outbound_irule

 

2 Vserver Outbound_UDP

 

-- Address: 0.0.0.0 / 0.0.0.0 port 0

 

-- Type: Standard

 

-- Protocol: UDP

 

-- VLAN on Internal Network

 

-- SNAT: none

 

-- Default Pool: default_gateways (all three ISP gateways)

 

-- Persistence: Outbound (src_addr with 3600 sec and all buttons checked)

 

-- I-rule: Outbound_irule

 

3 Vserver Outbound_FTP

 

-- Address: 0.0.0.0 / 0.0.0.0 port 21

 

-- Type: Standard

 

-- Protocol: TCP

 

-- profile: ftp

 

-- VLAN on Internal Network

 

-- SNAT: none

 

-- Default Pool: default_gateways (all three ISP gateways)

 

-- Persistence: Outbound (src_addr with 3600 sec and all buttons checked)

 

-- I-rule: Outbound_irule

 

4 Vserver Outbound_General

 

-- Address: 0.0.0.0 / 0.0.0.0 port 0

 

-- Type: Forwarding IP

 

-- Protocol: All

 

-- VLAN on Internal Network

 

-- SNAT: none

 

-- Default Pool: None - This will use the BIG-IP Default Routes (same pool as above)

 

-- Persistence: None for Forwarding IP

 

-- I-rule: Outbound_irule

 

5 Pool: default_gateways

 

-- Monitor: gateway_icmp

 

-- Monitor: gateway_icmp - next hop

 

6 BIG-IP Gateway

 

-- Default Gateway: default_gateways pool

 

-- Static routes: one server route through each ISP for Monitoring

 

-- Load-Balance: Predictive Member - We are still playing with this

 

7 NATs

 

-- Create a NAT for servers behind the LTM - make sure everyone knows that if that ISP goes down that those servers will also be unavailable on the Internet

 

8 Datagroups (under I-Rules)

 

-- Add servers IP Address to the ISP datagroup

 

9 I-Rule

 

aaa.aaa.aaa.agw and default_gateway_isp_a is the default gateway for ISP A

 

bbb.bbb.bbb.bgw and default_gateway_isp_b is the default gateway for ISP B

 

ccc.ccc.ccc.cgw and default_gateway_isp_c is the default gateway for ISP C

 

aaa.aaa.aaa.nat and snatpool snat_isp_a is the SNAT Pool for ISP A

 

bbb.bbb.bbb.nat and snatpool snat_isp_b is the SNAT Pool for ISP B

 

ccc.ccc.ccc.nat and snatpool snat_isp_c is the SNAT Pool for ISP C

 

network_force_pool_isp_a is the datagroup for IP Address which needs to be route through ISP A only because they have their own Static NAT or SNAT

 

network_force_pool_isp_b is the datagroup for IP Address which needs to be route through ISP B only because they have their own Static NAT or SNAT

 

network_force_pool_isp_c is the datagroup for IP Address which needs to be route through ISP C only because they have their own Static NAT or SNAT

 

 

 

when LB_SELECTED {

 

if { [matchclass [IP::client_addr] equals $::network_force_pool_isp_a] }

 

{

 

log local0. "no SNAT ISP A for IP [IP::client_addr]"

 

forward

 

} elseif { [matchclass [IP::client_addr] equals $::network_force_pool_isp_b] }

 

{

 

log local0. "no SNAT ISP B for IP [IP::client_addr]"

 

forward

 

} elseif { [matchclass [IP::client_addr] equals $::network_force_pool_isp_c] }

 

{

 

log local0. "no SNAT ISP C for IP [IP::client_addr]"

 

forward

 

} elseif { [LB::server addr] eq "aaa.aaa.aaa.agw" }

 

{

 

log local0. "SNAT [IP::client_addr] natt'ed to aaa.aaa.aaa.nat, via ISP A"

 

snatpool snat_isp_a

 

} elseif { [LB::server addr] eq "bbb.bbb.bbb.bgw" }

 

{

 

log local0. "SNAT [IP::client_addr] natt'ed to bbb.bbb.bbb.nat, via ISP B"

 

snatpool snat_isp_b

 

} elseif { [LB::server addr] eq "ccc.ccc.ccc.cgw" }

 

{

 

log local0. "SNAT [IP::client_addr] natt'ed to ccc.ccc.ccc.nat, via ISP C"

 

snatpool snat_isp_c

 

}

 

}

 

when CLIENT_ACCEPTED {

 

 

if { [matchclass [IP::client_addr] equals $::network_force_pool_isp_a] }

 

{

 

log local0. "Force Pool ISP A for IP [IP::client_addr]"

 

pool default_gateway_isp_a

 

} elseif { [matchclass [IP::client_addr] equals $::network_force_pool_isp_b] }

 

{

 

log local0. "Force Pool ISP B for IP [IP::client_addr]"

 

pool default_gateway_isp_b

 

} elseif { [matchclass [IP::client_addr] equals $::network_force_pool_isp_c] }

 

{

 

log local0. "Force Pool ISP C for IP [IP::client_addr]"

 

pool default_gateway_isp_c

 

}

 

}