Forum Discussion

Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Sep 05, 2013

Routed VS SNAT Deployment

Typically, we always use SNAT in our environment. I have a scenario now where I need to retain source IPs from clients thus disabling SNAT.

 

Here is what I have configured thus far:

 

1) Created a new VS with a type of "Forwarding IP," a destination network of 0.0.0.0, and a mask of 0.0.0.0. The VS is bound to all ports. It also has a fastL4 profile assigned to it, and is bound to all VLANs and all protocols.

 

2) Defined a default route on the BIG-IP to a gateway that can reach all of our internal applicable networks.

 

3) Configured the server's default gateway as the floating self-IP on the corresponding VLAN.

 

From the server, I can reach all external networks. However, I can not access the server FROM a remote network. I can however ping it, but all TCP connections fail (SSH, etc).

 

What configuration am I missing here? My goal is to be able to access the server (which has the LTM defined as it's gateway) from any network via it's assigned IP address and not a VS.

 

Is this possible?

 

Thanks for any help!

 

design

18 Replies

Show More
  • Josh_41258's avatar
    Josh_41258
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2013

    This brings me to another question..

     

    Would it be easier/best practices to carve out a new /24 for example, and directly connect it to the BIG-IP instead of attempting to use networks that are not directly connected? Essentially, make the BIG-IP the "router" for this dedicated network. Then, create one static route on our cores (which the BIG-IPs are connected to) for this new directly connected network?

     

    Josh

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 06, 2013

    if you need the source IP to actually be the IP (instead of passed in a header) then the BIG-IP needs to be inline for all routing or you need to use npath routing.

     

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Sep 06, 2013
    15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 
15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0

    i think the 2nd packet may be the one from bigip to server. if i am correct, the problem could be routing on server. in tcpdump, you may include "-e" to show mac address.

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Sep 06, 2013
      a full second to pass through the BIG-IP? Looks like a second SYN attempt to me.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 06, 2013
    15:59:51.130145 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568921727 ecr 0,nop,wscale 7], length 0 
15:59:52.129598 IP fc-rodns01.corp.domain.com.57417 > buildel564.corp.domain.com.ssh: Flags [S], seq 2672739120, win 14600, options [mss 1460,sackOK,TS val 3568922727 ecr 0,nop,wscale 7], length 0

    i think the 2nd packet may be the one from bigip to server. if i am correct, the problem could be routing on server. in tcpdump, you may include "-e" to show mac address.

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Sep 06, 2013
      a full second to pass through the BIG-IP? Looks like a second SYN attempt to me.