Forum Discussion
CirrostratusUsing LTM for network forwarding
Our data center architecture has a pretty standard model, with an "internal" network and a "DMZ". Our internal network does not have a direct route to the Internet. However, I have LTMs in our DMZ that can access the Internet directly. We have a server in our internal network running Microsoft Office 365 "Hybrid services" that needs to access a number of Microsoft Office 365 public networks, and I am being asked to facilitate this connectivity with our LTM. But given my lack of networking knowledge, I don't quite understand how I might configure the LTM to do this. I get a bit lost when it comes to how the different VS types function.
I was hoping someone might be able to help me understand at a high lievel what we would need to do in our network gear, and on the LTM, to enable this communication?
57 Replies
smp_86112Yes, the F5 can reach both the internal server and the public internet cloud. So assuming we have routes on our internal router for all these public cloud networks pointing at our F5, I'm trying to understand all the various forwarding configuration options I've got. It sounds like I could create a forwarding VS for each corresponding public cloud network and enable SNAT. Painful, but possible. Based on a comment above, it sounds like I could apply an iRule to my existing wildcard VS and SNAT traffic with a destination of these public internet clouds. I don't want to do this either, but possible. Are there other VS types or properties on the F5 that would allow this internal server to get out to a public network?
If the connection was point-to-point, this would be simple. The kicker for me is that the destination is a network, not a single endpoint. That throws a non-networking guy like me for a loop.
Thomas_Gobet_91You don't need to create iRule, you can specify source IP which will match your virtual server.
So you can specify a forwarding virtual server with 0.0.0.0/0 as destination and in Source IP the Microsoft server's IP.
That's all ;)- smp_86112Whoa, I don't understand at all what you have described or how it would work. Can you fill in the gaps a bit there?
Thomas_GobetNimbostratus
You don't need to create iRule, you can specify source IP which will match your virtual server.
So you can specify a forwarding virtual server with 0.0.0.0/0 as destination and in Source IP the Microsoft server's IP.
That's all ;)- smp_86112Whoa, I don't understand at all what you have described or how it would work. Can you fill in the gaps a bit there?
- Thomas_Gobet_91
Don't know where you loosed me... Can you tell me which version you're running on ?
It could be a reason that you don't understand where we can define a source IP on a virtual server.- smp_86112I'm running 10.2.4HF6. Again, I appreciate your willingness to stick with me. > you don't understand where we can define a source IP on a virtual server That's possible if not likely, we could be talking about VS properties or behavior I've never used or thought about before.
- Thomas_Gobet
Don't know where you loosed me... Can you tell me which version you're running on ?
It could be a reason that you don't understand where we can define a source IP on a virtual server.- smp_86112I'm running 10.2.4HF6. Again, I appreciate your willingness to stick with me. > you don't understand where we can define a source IP on a virtual server That's possible if not likely, we could be talking about VS properties or behavior I've never used or thought about before.
- Thomas_Gobet
On 10.2 you don't have the "Source IP" directly from VS properties.
You have to use iRule on your forwarding virtual server to apply SNAT only if the source IP is your Microsoft server.when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals "your_server's_IP"] } { snat automap } }- smp_86112I get the iRule, but what VS are you suggesting I apply it to?
- Thomas_Gobet_91
On 10.2 you don't have the "Source IP" directly from VS properties.
You have to use iRule on your forwarding virtual server to apply SNAT only if the source IP is your Microsoft server.when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals "your_server's_IP"] } { snat automap } }- smp_86112I get the iRule, but what VS are you suggesting I apply it to?
- Thomas_Gobet
You told me you have a forwarding virtual server in your LTM configuration.
I don't which one it is, but it has to listen traffic coming from "Internal" VLAN and going to public adresses (the easier would be a 0.0.0.0/0 forwarding server).- smp_86112OK, yeah that's the one I thought you were talking about - Night proposed this model earlier in the thread, and I think understand how this would work. Not ideal in my case, as this LTM is very, very busy and hardware resources are limited. So I'm looking for alternatives to this. Based on what I've heard any my own limited understanding, I'm thinking my only other option is to create Forwarding, network virtual servers for each public network and enable SNAT. Then to get traffic there, we would need to add routes for these networks on our internal routers pointing at the LTM.
- Thomas_GobetYes what you suggested is right, it's an other possibility. You can do it "only" if you know all differents public networks your server will reach.
- Thomas_Gobet_91
You told me you have a forwarding virtual server in your LTM configuration.
I don't which one it is, but it has to listen traffic coming from "Internal" VLAN and going to public adresses (the easier would be a 0.0.0.0/0 forwarding server).- smp_86112OK, yeah that's the one I thought you were talking about - Night proposed this model earlier in the thread, and I think understand how this would work. Not ideal in my case, as this LTM is very, very busy and hardware resources are limited. So I'm looking for alternatives to this. Based on what I've heard any my own limited understanding, I'm thinking my only other option is to create Forwarding, network virtual servers for each public network and enable SNAT. Then to get traffic there, we would need to add routes for these networks on our internal routers pointing at the LTM.
- Thomas_Gobet_91Yes what you suggested is right, it's an other possibility. You can do it "only" if you know all differents public networks your server will reach.
