For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bkanna_133485's avatar
bkanna_133485
Apr 10, 2014

SNAT Configuration on F5

We have 2 servers in DMZ which are the pool members of the F5 VIP. These servers need internet access and servers default gateway is pointing to the F5 self IP. Can we configure the SNAT to allow these servers map to a public IP to access Internet or the rules to be cofigured on the Firewall or is there any other solution to allow Internet access to these dmz servers.

 

application delivery
deployment
LTM
security

7 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 10, 2014

    Rather than pointing your DMZ servers to the F5's self IP, it may be better to stand up a forwarding virtual server and apply an appropriate SNAT to that virtual server. More details on the forwarding virtual server:

     

    http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html

     

  • Vincent_96223's avatar
    Vincent_96223
    Icon for Cirrus rankCirrus
    Apr 10, 2014

    The way I normally do it is to point the DMZ servers to the default gateways of your DMZ network. Setup rules in your firewall to allow outbound Internet access for the servers, but block inbound access to the servers. Create another rule to allow HTTP/HTTPS services to the VIP on the F5 for the Pool of servers. SNAT only applies to inbound connections.

     

  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Apr 10, 2014

    As Cory suggested, I've traditionally used Forwarding VSs to accomplish what you're looking for.. Use SNAT, or you can let your firewall handle the translation.. Just remember, either way you have to make sure any devices in front of the LTM knows how to route back to the source address of the connection.. Read through the referenced doc, it's pretty good.

     

    Be careful with what Vincent is recommending above - it may work in some cases, but can break things in some configurations.. For example - if you have any In-Line traffic you can end up with asymmetric routing and break connections..

     

  • bkanna_133485's avatar
    bkanna_133485
    Apr 10, 2014

    Thank you all for the Answers.

     

    1) Can the below SNAT works without chaning any configuration on the servers gateway and without configuring Forwarding Virtual servers.

     

    ltm snat /Common/test_snat { origins { 10.10.10.1/32 { } 10.10.10.2/32 { } } translation /Common/ }

     

    2) As the default gateway of servers is F5 self IP the traffic is not hitting the firewall. I dont think we can add rules on the firewall to allow access to Internet. Let me know if I am wrong.

     

  • bkanna_133485's avatar
    bkanna_133485
    Apr 10, 2014

    The SNAt Configuration is

     

    ltm snat /Common/test_snat { origins { 10.10.10.1/32 { } 10.10.10.2/32 { } } translation /Common/ }

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 10, 2014

    As long as you have defined a valid translation address (can't tell from your configs, probably sanitized) in your SNAT configuration and all the supporting routing in your network is there to accommodate that address, then this should work.

     

  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Apr 11, 2014

    @Bkanna, even if the F5 is the DG, as long as the FW is in line with all the communication you could still translate the address through it if you wanted to..