Forum Discussion
Thomas_Gobet_91
Dec 02, 2013Cirrostratus
You can do 2 things (or more) :
- Create as many Virtual Server as there's Microsoft public networks (exhausting work)
- Create one virtual server with a wildcard IP (0.0.0.0/0) and limited to your internal Microsoft server IP as source.
I'll detail the second point, which is the easiest way to make it.
You have to create a virtual server with these parameters :
- Type : Forwarding (IP)
- Destination : Network with Address 0.0.0.0 and Mask 0.0.0.0
- Service Port : Any or one virtual server per ports you have
- VLAN : Enabled on "Your_Internal_VLAN"
- SNAT Automap to be sure the traffic will be send back through the F5
- smp_86112Dec 02, 2013CirrostratusThanks for the quick response. This is where it gets tricky - the LTMs load-balance thousands of apps today, so I already have a 0.0.0.0/0 forwarding virtual server. I can't/won't enable SNAT on this VS, so does that effectively eliminate 2?
- Night_67217Dec 02, 2013Historic F5 AccountWell, you could enable SNAT only if connections come from a specific source IP / or go to a specific destination (via an iRule), leaving your current applications unaffected. Also, I assume your backend servers have private IP addresses, so if you don't do a SNAT on the LTM (which would have routable addresses) or NAT on another device, I don't see how traffic would ever come back to these hosts. (sorry if my assumption is not correct)
- smp_86112Dec 02, 2013CirrostratusOh for sure I would have to SNAT this traffic, though not because the server is in private address space (it's not). True I could write an iRule, but I was hoping to create new objects to facilitate this communication instead of relying on an iRule. I didn't intend to get into this, but there's a number of reasons I don't want to do that. But let me consider how this might work for a minute. Using your approach, first we would need to configure our internal routers to say if the destination is one of the Microsoft public networks, it should route to our LTMs. Then I would need to apply an iRule on the LTM which says if the destination is one of those Microsoft public networks, enable SNAT. Then our LTM would forward the connection to its default gateway, which would then forward it out to the Internet. Is that how it would work, or is that nonsense?