For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ian_wijaya's avatar
ian_wijaya
Icon for Nimbostratus rankNimbostratus
Mar 27, 2013

Traceroute & NAT Issue

Hi All,

 

I am facing a strange problem with F5.

 

1.) the first problem is related with traceroute. I can't get F5 IP address when doing traceroute from next hop network devices to internal server.

 

this problem only occurs in TMOS 11.3.0 or later. when I change it to 11.0 it works as expected. (please refer to my attachment , serverIP: 10.2.4.1, F5 IP:192.168.9.245)

 

my question is, is there any bug in this version of OS ? or is it deliberately designed to secure the network ? if yes, then is there a way to change this behavior ?

 

 

2.) The second problem is related with NAT. again, in version 11.0.0, if I configure NAT translation (i.e. one to one NAT) and enable it on public facing interface (internet vlan) , F5 will change the incoming external traffic destination IP (NAT-ed IP) to configured origin IP (Destination NAT) and when the server(with the cofigured origin IP) generating traffic to internet through F5, F5 will change the source address of the server to the public NAT address respectively. (Source NAT). in another word, F5 is doing NAT for bidirectional traffic.

 

But in version 11.3.0 or later, I find F5 only translate address for incoming traffic , but not outgoing traffic. (Destination NAT only)

 

any idea related to this issue ?

 

 

Thanks

 

Ian

 

 

 

security

2 Replies

  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    May 13, 2013

    Hi Ian,

     

     

    I did some research on your questions and found the following information: On your first question, the traceroute issue was addressed in the TMOS 11.3.0 release notes on May 2, 2013 (http://support.f5.com/kb/en-us/prod...r=29345849). Here's the ID number and resolution for the traceroute problem:

     

    ID 347838 This release corrects an issue that caused ICMPv6 traceroute to BIG-IP to always fail.

     

    In addition, TMOS version 11.3.0 allows "per-virtual-server" configuration for ICMP responses. Here are the details in the documentation: "You can now configure whether or not a virtual server responds to ping commands. Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP response. With this functionality, you can control the network visibility of your applications."

     

     

    As for the second question, I didn't find any detailed information on the specific NAT issue you discussed, but I was able to find an issue related to NATs in TMOS 11.3.0 here: http://support.f5.com/kb/en-us/solu...14354.html. There's a hotfix (11.3.0 HF5) that solves the NAT issue, so you could try installing the hotfix and see if that helps. Also, depending on your NAT address requirements, you may be able to work around this issue by configuring a SNAT to handle outbound connections.

     

    I hope this helps.

     

     

    Thanks,

     

    John