Forum Discussion

Michael_61068's avatar
Michael_61068
Icon for Altocumulus rankAltocumulus
Jan 26, 2017

Outbound SNAT for servers: Destination Net Prohibited

Hi,

 

Probably something simple ...

 

I am trying to set up outbound connections for servers behind my F5 LTM. My assumption was that an outbound SNAT (using auto map)as per the configuration guides would accomplish this. Unfortunately not.

 

 

When I do a test ping I get the message back from the Big IP: Destiantion Net Prohibited:

 

 

When I configure a static NAT for a particular server everything is fine.

 

The configuration guide does not mention any additional configuration required for this outbound snat scenario.

 

I believe that NAT or SNAT should be sufficient to allow traffic through the LTM. For NAT this is the case.

 

In the end I have created a "Forwarding IP" Virtual server for all source IPs and I have bound that to my internal interface. The Virtual server is suing "auto map" as well for source IP address translation.

 

 

I would prefer to use the outbound SNAT and not the Virtual server. If someone could help identify the issue, I would appreciate it.

 

Many thanks,

 

application delivery
LTM
snat
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jan 26, 2017

    Michael - this should work. Have you tried any other port/protocol other than ICMP? If you browse to System - Configuration - Local Traffic - General do you see an option called "SNAT Packet Forwarding"? I think the default is TCP/UDP only so you should change this to All Traffic to allow ICMP through a SNAT. My lab is v11.5.1, just in case this option is different in other versions.

     

    Hope this helps,

     

    N

     

  • Michael_61068's avatar
    Michael_61068
    Icon for Altocumulus rankAltocumulus
    Jan 26, 2017

    Hi All,

     

    I tired on an earlier version 11.6.1 and the Outbound SNAT configuration worked!

     

    I went back to my original 12.1.2 version and wiped my configuration deactivated the ASM module. I reconfigured the outbound SNAT and it work! I activated the ASM again and put back all my nodes polls, and virtual servers and the outbound SNAT and ti still worked!

     

    I do not really understand