Forum Discussion
Neil_Marks_2466
Nimbostratus
NimbostratusSetting up Forwarding IP VS on LTM to route SSH traffic
I am trying to route SSH traffic through a LTM onto a subnet. This is a prototype setup and so is slightly restrictive in that I have only one public IP address for external traffic to come into the LTM (which is a LAB license setup), behind this I have a "outer" n/w where I have a jump server and a web server and an "inner" n/w where I have app servers. I have setup HTTP virtual servers and have an iRule to route http traffic to the appropriate web server virtual IP address and onto an app server if needed. So in this setup I am attempting to route SSH requests via the single external IP address into the outer n/w layer. I have tried a network based forwarding IP VS to on available. Example VS definition...
ltm virtual SSH-Forwarding-VS {
description "Virtual Server for routing SSH traffic"
destination 0.0.0.0:ssh
ip-forward
ip-protocol tcp
mask any
profiles {
lab-forwarding-fastL4 { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vs-index 11
}
Yet all that I succeed in achieving is opening a SSH session with the actual LTM itself :-( I used this as a reference: http://packetpushers.net/stateless-routing-f5-ltm/
This prototype environment has been created in the AWS cloud, so the VPC, subnets and security groups have been setup to allow the traffic through. Any suggestions appreciated, thanks!
- Chase_Abbott
Employee
If not using SNAT the internal server would need to use BIG-IP as the gateway so you would get an open session and never get the SSH server response after ack. But.... depending on what version you have, this may benefit you if you haven't already gone over it.
Neil_MarksUsing 11.5.4 :-(
Is the default gateway on your SSH server the BIG-IP??? The single external IP, is this IP address configured as a virtual server ip address or is it a self ip on your BIG-IP?
Cheers,
Kees
- Neil_Marks
Unfortunately not at this time, the reason for trying to setup ip forwarding for port 22 here was to remove the need for having a public IP on the jump (SSH) server and effectively route these requests via the F5. This is not a priority item at this time - have other more pressing items to sort out! So will be leaving the jump server with a public IP for now.
Ok, so you need to apply seat automap to your SSH-forward-VS.
But my other question still remains, your external IP, is this IP address configured as a virtual server ip address or is it a self ip on your BIG-IP?
Cheers,
Kees
