For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Josh_Hildebran1's avatar
Josh_Hildebran1
Icon for Nimbostratus rankNimbostratus
Jul 13, 2006

Simple SNAT for external SMTP nodes via a VIP

I think I had this working at some point, but now I'm not entirely sure it ever did.

I'm trying to make it so that external servers can use a VIP to hit a pool of external mail servers. When I say "external" I mean on the outside of the F5. I have a separate "internal", non-snatting VIP for internal servers to hit the SMTP server pool.

This external SMTP vip needs to SNAT so that the packets come back to the F5 properly.

Here is what I have so far:


virtual smtp_snat_external {
   destination 172.20.150.25:smtp
   ip protocol tcp
   pool smtp_testpool
   rule SMTP-Ext-SNAT
   vlans external enable
}
rule SMTP-Ext-SNAT {
   when CLIENT_ACCEPTED {
  snat 172.20.150.201
}
pool smtp_testpool {
   lb method member predictive
   min active members 1
   monitor all POST
   member 192.168.168.76:smtp
   member 192.168.170.50:smtp priority 2
}
monitor POST {
   defaults from smtp
   interval 30
   timeout 61
   debug "no"
   domain "bigip-monitor.org"
}

When I'm on an external server, and telnet to the VIP at 172.20.150.25 port 25, I get a connection, but no SMTP banner. On the mail server, when I run a netstat, I see this connection:

tcp 0 0 192.168.170.50:25 172.20.150.201:1272 SYN_RECV

Which means the SNAT is working, but it seems to just hang there in SYN_RECV mode.. It never gets to ESTABLISHED.

What am I missing? I'm assuming it's an iRule problem.

Thanks so much!
application delivery
dev
devops
iRules

3 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 14, 2006
    As the ltm is not a firewall by nature, it doesn't treat vlans as outside/inside from a policy standpoint. That said, if you have a connection hitting a vip, and a pool of assigned servers that are *outside*, you'll need to snat to get the traffic to route back through the ltm. You can snat automap, or you can build a snatpool with 1 or more addresses in it. You shouldn't need a rule for this.

    BTW, you can snat on the same address as your virtual to conserve IP space if this is a concern.

    
pool smtp_testpool {
   lb method member predictive
   min active members 1
   monitor all POST
   member 192.168.168.76:smtp
   member 192.168.170.50:smtp priority 2
}
snatpool smtp_snatpool {
   member 172.20.150.25
}
virtual smtp_snat_external {
   destination 172.20.150.25:smtp
   ip protocol tcp
   pool smtp_testpool
   snatpool smtp_snatpool
   vlans external enable
}

    You can email me offline if you pursue a non-iRules approach, as this forum is not for configuration issues.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 14, 2006
    Hi,

     

     

    I don't think you need a rule or a SNAT for this. By default, the VIP is going to respond back to the client from the virtual IP address. If you need the BIG-IP to replace the source address on connections from the BIG-IP to the node, then you could use SNAT automap.

     

     

    The BIG-IP won't send any type of SMTP message back to the client. The node in the SMTP pool would need to do this.

     

     

    I don't think this is an iRule issuue. If you think so, please post more info on why. If this is a VIP configuration issue, please contact support.

     

     

    Thanks,

     

    Aaron
  • Josh_Hildebran1's avatar
    Josh_Hildebran1
    Icon for Nimbostratus rankNimbostratus
    Jul 14, 2006
    Thanks citizen_elah.. I was apparently misdirected by your engineer that came down to do the install a while back. He was the one that said to use the iRule approach. I will try out your method and go from there.

     

     

    Thanks so much!