static route versus IP forwarding VS

Hi,

First of all check stats of your Forwarding (IP) server when doing ping - if traffic is intercepted by this VS you will see packets reported, if you can't see packets then some other object is catching your traffic.

Of course it would be better to do tcpdump on interface facing your Linux servers. Something like that:

tcpdump -nni [your interface or vlan name facing Linux servers]:nnn -s0 'host [ip of Linux from which ping is started] and icmp'

In trace you should see BIG-IP listener like that lis=/Common/your_listener_name

If you want your wildcard VS (either Performance L4 or Forwarding IP) to only catch SMTP traffic then you can set Service Port to 25 (or port actually used by your servers to connect).

Considering VS config posted by Hannes I would say most important omission is that along with translate-port disabled you should have translate-address disabled.

Second would be that SNAT is not enabled. You need at least SNAT Automap to have replies from destination servers reach BIG-IP - of course assuming that you will not have route to 10.21.1.0/24 network configured on devices between BIG-IP and Internet to point to BIG-IP interface in 144.144.144.0/24 network.

I would say that setting fastL4 profile to loose-close and loose-initialization is not necessary and a bit dangerous.

We are talking here about connections initiated by servers to Internet, so they always should start with proper 3 Way Handshake.

As all traffic will be flowing via VS (not like with Direct Server Return setup) so BIG-IP will see as well all TCP close attempts (FIN packets).

Enabling loose-initialization allows bad formed connections or malicious packets to reach Internet - just my opinion.

And if loose options are not used, then it's better to enable reset-on-timeout.

Sure if you don't care what is leaving your network you can keep suggested config.

Piotr