SNATTing causes servers of one VLAN to gain access to another

Hello,

The customer is trying to do the following:

Here is their setup:

2 BIG-IP's in a HA setup.

VLAN388 and VLAN389 trunked on interface 1.4

The BIG-IP's have 3 IPaddresses in all VLANS (self-ips and a floating-ip)

On VLAN388, they have three web server listening on port 80. All three are created as nodes in the BIG-IP.

On VLAN389, they have three web server listening on port 80. All three are created as nodes in the BIG-IP.

No pools or virtual servers are created.

When they try to gain access from one server in VLAN389 to another server in VLAN388, it wouldn't work, which is great. In this case they try to telnet on port 80.

Now they have created a SNAT so that their servers from VLAN389 is able to gain access to the internet:

snat FOR-SERVERS-IN-VLAN389 {

translation 131.165.83.144

vlans VLAN389 enable

origins 172.30.54.22

}

Now, if they try to gain access from one server in VLAN389 to another server in VLAN388, they are able to connect to any port on the servers in VLAN388!

Is there a way to prevent this from happening? I don't want the servers to be able to gain access to eachother. Could this be a security issue?

Thanks

config

design

Forum Discussion

SNATTing causes servers of one VLAN to gain access to another

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

DevCentral 2024 - Share Another Day

pool members can't connect to another Virtual Server

viprion - migrate to another blade

Kill SNAT AutoMap!

Capture part of URL to redirect to another

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS