Forum Discussion

Neil_Marks's avatar
Neil_Marks
Icon for Nimbostratus rankNimbostratus
Nov 10, 2016

Setting up Forwarding IP VS on LTM to route SSH traffic

I am trying to route SSH traffic through a LTM onto a subnet. This is a prototype setup and so is slightly restrictive in that I have only one public IP address for external traffic to come into the LTM (which is a LAB license setup), behind this I have a "outer" n/w where I have a jump server and a web server and an "inner" n/w where I have app servers. I have setup HTTP virtual servers and have an iRule to route http traffic to the appropriate web server virtual IP address and onto an app server if needed. So in this setup I am attempting to route SSH requests via the single external IP address into the outer n/w layer. I have tried a network based forwarding IP VS to on available. Example VS definition...

    ltm virtual SSH-Forwarding-VS {
        description "Virtual Server for routing SSH traffic"
        destination 0.0.0.0:ssh
        ip-forward
        ip-protocol tcp
        mask any
        profiles {
            lab-forwarding-fastL4 { }
        }
        source 0.0.0.0/0
        translate-address disabled
        translate-port disabled
        vs-index 11
    }

Yet all that I succeed in achieving is opening a SSH session with the actual LTM itself :-( I used this as a reference: http://packetpushers.net/stateless-routing-f5-ltm/

This prototype environment has been created in the AWS cloud, so the VPC, subnets and security groups have been setup to allow the traffic through. Any suggestions appreciated, thanks!

  • Is the default gateway on your SSH server the BIG-IP??? The single external IP, is this IP address configured as a virtual server ip address or is it a self ip on your BIG-IP?

     

    Cheers,

     

    Kees

     

  • Unfortunately not at this time, the reason for trying to setup ip forwarding for port 22 here was to remove the need for having a public IP on the jump (SSH) server and effectively route these requests via the F5. This is not a priority item at this time - have other more pressing items to sort out! So will be leaving the jump server with a public IP for now.

     

  • Ok, so you need to apply seat automap to your SSH-forward-VS.

     

    But my other question still remains, your external IP, is this IP address configured as a virtual server ip address or is it a self ip on your BIG-IP?

     

    Cheers,

     

    Kees