Routing Between DMZ & LAN using F5

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 0.0.0.0 or host 0.0.0.0 -v tcpdump: listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 b ytes Got 0 Got 0

cpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 0.0.0.0 or host 0.0.0.0 -v

source ip should be client ip you execute ping.

if no packet is captured, it means packet does not reach bigip. in that case you may have to check your network.

Hi Jim,

Can you just fall to basics and start from checking the interface physical connectivity, check in the GUI if the interfaces are shown as up, just do a shut and no shut on the switch interfaces and then follow the above procedure of creating the IP Forwarding VS with source and destination as any , any . it should work.

Regards,

Hi Friends,

I'm glad to have this support from you.

Below the result :

[root@F5-BIG-IP01:Active:Standalone] config  tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 192.168.2.1 or host 55.10.252.10 -v

tcpdump: listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes ^Ct 12 12 packets captured 12 packets received by filter 0 packets dropped by kernel

[root@F5-BIG-IP01:Active:Standalone] config tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host 192.168.2.10 or host 55.10.252.1 -v tcpdump: listening on 0.0:nnn, link-type EN10MB (Ethernet), capture size 65535 bytes ^Ct 12 12 packets captured 12 packets received by filter 0 packets dropped by kernel

But for example, my server 192.168.2.10 can't ping the gateway of the F5 55.10.252.1

And ths opposite is true too.

Thank you again

How can I do that please.

what we expect to see is (1) incoming icmp echo request from source to bigip, then (2) outgoing from bigip to destination, then (3) incoming icmp echo reply from destination back to bigip and then (4) outgoing from bigip to source.

for (1), source ip should be ip you execute ping. destination ip should be ip you ping to.

you may also use mac address to differentiate between (1) and (2) and between (3) and (4). (1) and (4) are between source and bigip. (2) and (3) are between bigip and destination.

i understand 192.168.2.1 is bigip's self ip, isn't it? why don't you ping server?

sol3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address

Yes 192.168.2.1 it's a self ip associated to the nic card of the LAN.

My server on LAN which have this IP as gateway,ping on it very well. the same thing on DMZ.

But when I Tried to ping the self IP of the DMZ from the server on the LAN, and also from server on the DMZ to the self IP of LAN, that doesn't work.

And because of that my servers from both networks can't communicate to each other.

Thank you again.

But when I Tried to ping the self IP of the DMZ from the server on the LAN, and also from server on the DMZ to the self IP of LAN, that doesn't work.

it is by design.

sol3475: The BIG-IP system may not respond to ICMP ping requests for a self IP address

So what will be the solution at your opinion please.

Thank you in advance.

So what will be the solution at your opinion please.

have you tried to ping server ip (not self ip)? pinging server ip should work.