Forum Discussion
per internal server, two 'static' NAT needed (two external VLAN/ISP) for outbound
Hello,
I have a configuration with one internal VLAN (with web servers, y.y.y.y/24) and two external VLANs (for ISP1 x.x.x.x/24 and ISP2 x.x.y.x/24). Incoming/outgoing connections already work fine.
We currently use autonat on the 'outgoing' virtual (forwarding) 0.0.0.0 server, composed of a 'default gateway' pool with the two ISP 'routers' (in fact internal interfaces of the firewall cluster facing Internet and the two ISPs, let's call them router-isp1 and router-isp2)). We also use priority group to make sure we always use link 'ISP1' unless it goes down.
When a web server want to initiate a connection towards Internet, it uses the VS. If router-isp1 is up, the server is natted in this range behind the floating IP of the F5 (x.x.x.1). Same approach for router-isp2 (x.x.y.1) if router-isp1 is down. Already Good enough, let's call it 'Hide' NAT
Now, we would like to go a bit further with this (working) setup and use 'Static' NAT, meaning 1 to 1 NAT in our mind (and in our case it would more be 1 to 2 Static NAT).
If server A (y.y.y.10) leaves the infra through router-isp1, I would like it to be natted behind x.x.x.10. And if via router-isp2, to be natted behind x.x.y.10).
Same for server B (y.y.y.20) to be natted to x.x.x.20 or x.x.y.20 depending on the router-isp used.
I think to use NAT for this. But my problem is that I cannot create two NAT entries with the same origin server but applied on different VLANs. Which I could understand.
And I do not see how to achieve it via SNAT except that with autonat. I can only 'use' one SNAT pool per pool. And I have only one pool with the two router-isp.
I guess it can be feasible in Irule with something like:
For any web server that initiates an outgoing connection
if router-isp1 in pool 'default gateway' is up
then NAT its internal IP y.y.y.Z to x.x.x.Z
else
NAT its internal IP y.y.y.Z to x.x.y.Z
But my management is not really fan of Irule: for them scripting means that the device could do more but the vendor relies on the customer knowledge.
Thus I am wondering if we can do it with the 'embedded' NAT/SNAT features of the F5 (precision: we do not want to use two default gateway pools composed each of one member).
Let me know if you need any more info ?
Thanks and best regards,
--
Benoit
5 Replies
- nitass
Employee
If server A (y.y.y.10) leaves the infra through router-isp1, I would like it to be natted behind x.x.x.10. And if via router-isp2, to be natted behind x.x.y.10).
Same for server B (y.y.y.20) to be natted to x.x.x.20 or x.x.y.20 depending on the router-isp used.can you try to add x.x.x.10 and x.x.y.10 to snatpool and use it in snat list? also, x.x.x.20 and x.x.y.20 in another snatpool and snat list. and in outgoing virtual server (0.0.0.0/0), set snat to none. héhé thanks for the answer, I am precisely trying this kind of setup.
But thanks for the trick with SNAT to none in the 0.0.0.0/0 forwarding VS.
I keep you posted.
best regards,
--
Benoit
Hello,
thanks for the advises, so far it works as expected.
I'll need to reconfigure a bit more my firewalls because of new IPs seen (NAT, AS, rulebase...), but as it worked for the 'floating' IP and automap I do not expect issues there.
I already know what I will tell to the management about F5 :-)
Regards,
--
Benoit
OK validated for one server: it has access to Internet through the two external VLANs (1st one always used unless the router-isp1 node goes down) and is able to use the two ISPs in a transparent way (I mean the server does not care with ISP it uses).
Thanks again for the swift answer !
--
Benoit
- nitass
you are welcome. actually, i was not 100% sure but i remember that is how it works.
thanks for confirmation. :-)
