Forum Discussion
Ed_26015
Nimbostratus
Dec 04, 2010Source routing with iRules
Hi all,
I hope you can help.
I have two interfaces on the F5 that connect back to a Cisco PIX again on different interfaces.
Topology is 10.130.4.1 & 10.130.32.1 for the PIX gateways and 10.130.4.10 & 10.130.32.10 for the F5.
Behind the F5 is a DMZ network and a Portal Network.
The DMZ network needs to route back through the 10.130.4.1 gateway whilst the Portal network needs to route back through the 10.130.32.1.
The portal has four other networks (10.130.52.0/24, 10.130.53.0/24, 10.130.54.0/24 & 10.130.55.0/24) which also need to route back through the 10.130.32.1 gateway.
I have setup a virtual server and iRule for this routing as well as a NAT for the 10.130.32.0/22 network to map to the Portal backend networks.
The iRule is;
when CLIENT_ACCEPTED {
set failed 0
if {[IP::addr [IP::client_addr] equals 10.130.52.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.53.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.54.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.55.0/24]}{
node 10.130.32.1
} elseif {[IP::addr [IP::client_addr] equals 10.130.8.0/22]}{
node 10.130.4.1
}
}
However his isn't routing correctly as the PIX logs show;
2010-12-04 14:02:35 Local4.Debug 172.25.x.x Dec 04 2010 14:02:36: %PIX-7-609001: Built local-host schools-portal:10.130.33.13
2010-12-04 14:02:35 Local4.Info 172.25.x.x Dec 04 2010 14:02:36: %PIX-6-302020: Built outbound ICMP connection for faddr 10.130.33.13/0 gaddr edjones-pc/1 laddr edjones-pc/1
2010-12-04 14:02:35 Local4.Alert 172.25.x.x Dec 04 2010 14:02:36: %PIX-1-106021: Deny ICMP reverse path check from edjones-pc to 10.130.55.10 on interface dmz-servers
I suspect the DMZ reverse path check failing means that the iRule and virtual server source routing isn't working correctly. The traffic is basically trying to be routed through the DMZ gateway (10.130.4.1).
Please can you tell me how to get these iRules working so that I can connect to the backend networks?
Cheers,
Ed
9 Replies
Sort By
- hoolio
Cirrostratus
Hi Ed,when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: destination [IP::local_addr]:[TCP::local_port]" Check if client IP is in the my_subnets_class datagroup if {[class match [IP::client_addr] equals my_subnets_class]}{ log local0. "[IP::client_addr]:[TCP::client_port]: Matched my_subnets_class, using 10.130.32.1" node 10.130.32.1 } else { node 10.130.4.1 log local0. "[IP::client_addr]:[TCP::client_port]: Matched my_subnets_class, using 10.130.32.1" } }
- Ed_26015
Nimbostratus
Hi Aaron - Chris_Miller
Altostratus
Ed, - hoolio
Cirrostratus
Yes, logs and a simple network diagram would definitely help. - Ed_26015
Nimbostratus
Hi both, - Ed_26015
Nimbostratus
If it helps the current syntax of the iRule is; - Ed_26015
Nimbostratus
Hi all, - hoolio
Cirrostratus
Hi Ed, - Ed_26015
Nimbostratus
Thanks very much for that Aaron... I am on Holiday for a couple of days so will review the config and get back to you when I return...
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects