Forum Discussion
CirrostratusUsing LTM for network forwarding
Our data center architecture has a pretty standard model, with an "internal" network and a "DMZ". Our internal network does not have a direct route to the Internet. However, I have LTMs in our DMZ that can access the Internet directly. We have a server in our internal network running Microsoft Office 365 "Hybrid services" that needs to access a number of Microsoft Office 365 public networks, and I am being asked to facilitate this connectivity with our LTM. But given my lack of networking knowledge, I don't quite understand how I might configure the LTM to do this. I get a bit lost when it comes to how the different VS types function.
I was hoping someone might be able to help me understand at a high lievel what we would need to do in our network gear, and on the LTM, to enable this communication?
57 Replies
Thomas_Gobet_91You can do 2 things (or more) :
- Create as many Virtual Server as there's Microsoft public networks (exhausting work)
- Create one virtual server with a wildcard IP (0.0.0.0/0) and limited to your internal Microsoft server IP as source.
I'll detail the second point, which is the easiest way to make it.
You have to create a virtual server with these parameters :
- Type : Forwarding (IP)
- Destination : Network with Address 0.0.0.0 and Mask 0.0.0.0
- Service Port : Any or one virtual server per ports you have
- VLAN : Enabled on "Your_Internal_VLAN"
- SNAT Automap to be sure the traffic will be send back through the F5
smp_86112Thanks for the quick response. This is where it gets tricky - the LTMs load-balance thousands of apps today, so I already have a 0.0.0.0/0 forwarding virtual server. I can't/won't enable SNAT on this VS, so does that effectively eliminate 2?- Well, you could enable SNAT only if connections come from a specific source IP / or go to a specific destination (via an iRule), leaving your current applications unaffected. Also, I assume your backend servers have private IP addresses, so if you don't do a SNAT on the LTM (which would have routable addresses) or NAT on another device, I don't see how traffic would ever come back to these hosts. (sorry if my assumption is not correct)
- smp_86112Oh for sure I would have to SNAT this traffic, though not because the server is in private address space (it's not). True I could write an iRule, but I was hoping to create new objects to facilitate this communication instead of relying on an iRule. I didn't intend to get into this, but there's a number of reasons I don't want to do that. But let me consider how this might work for a minute. Using your approach, first we would need to configure our internal routers to say if the destination is one of the Microsoft public networks, it should route to our LTMs. Then I would need to apply an iRule on the LTM which says if the destination is one of those Microsoft public networks, enable SNAT. Then our LTM would forward the connection to its default gateway, which would then forward it out to the Internet. Is that how it would work, or is that nonsense?
What_Lies_Bene1When you say 'with our LTM' I assume you mean via the DMZ LTMs yes?
Thomas_GobetNimbostratus
Does your router or firewall between Internet and your F5 have a route to your Microsoft server ?
- smp_86112Initially I said yes, but I misunderstood. Actually, I don't know. I know you can't get from the Internet to the Microsoft server, but I'm not sure if that's because the route isn't there or because of firewall policy. I'm going to ask our guys and post back.
- Thomas_Gobet_91
Does your router or firewall between Internet and your F5 have a route to your Microsoft server ?
- smp_86112Initially I said yes, but I misunderstood. Actually, I don't know. I know you can't get from the Internet to the Microsoft server, but I'm not sure if that's because the route isn't there or because of firewall policy. I'm going to ask our guys and post back.
- Thomas_Gobet_91
This route is pointing to your BIG-IP isn't it ?
If it is, you have the choice between both my suggestions at the beginning.- smp_86112I am severely out of my element now, but I talked to my guy. He says we are advertising the routes to our internal networks (which includes the Microsoft server) out to the Internet, but our ACL drops anything except traffic destined for our DMZ. Does that answer the question you are getting at?
- Thomas_Gobet
This route is pointing to your BIG-IP isn't it ?
If it is, you have the choice between both my suggestions at the beginning.- smp_86112I am severely out of my element now, but I talked to my guy. He says we are advertising the routes to our internal networks (which includes the Microsoft server) out to the Internet, but our ACL drops anything except traffic destined for our DMZ. Does that answer the question you are getting at?
- Thomas_Gobet_91
So, what it means is your Microsoft server is reacheable from the Internet only if there's a DMZ IP address for it.
Is it right ? If it is, do you know this IP and is it published by your LTM ?- smp_86112Yes, I guess you could think of it that way. But I don't have anything on the LTM now to make the MS server reachable. I could certainly create a VS with a public IP reachable from the Internet, a wildcard port, and enable SNAT, but it seems like that would only facilitate inbound connectivity when I think the main challenge is getting the server to go out.
- Thomas_Gobet
So, what it means is your Microsoft server is reacheable from the Internet only if there's a DMZ IP address for it.
Is it right ? If it is, do you know this IP and is it published by your LTM ?- smp_86112Yes, I guess you could think of it that way. But I don't have anything on the LTM now to make the MS server reachable. I could certainly create a VS with a public IP reachable from the Internet, a wildcard port, and enable SNAT, but it seems like that would only facilitate inbound connectivity when I think the main challenge is getting the server to go out.
- Thomas_Gobet_91
Creating a wildcard VS is not only made to inbound traffic.
Depending on which VLAN you're listening to, it can forward traffic coming from "Internal" VLAN to "External" VLAN. (outbound traffic)
What you have to check is :
1. Does your firewall allow your BIG-IP to go on Internet ?1.a) If it's not, is there an IP in DMZ that your F5 can use to SNAT your Microsoft server ?
1.b) If it is, you can use virtual server with SNAT Automap.- smp_86112First, thanks for sticking with me. Yes, our infrastructure does allow the LTM to get out to the Internet. The answer to both a) and b) is yes, I could do either. But the thing I am struggling first with is not how to get the LTM - > internet (that will come later), it's how to get the MS server to the LTM for a defined set of public Microsoft networks. Do we create routes on our internal router saying that the next hop for the public Microsoft networks is the LTM?
