For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hummingbird_143's avatar
Hummingbird_143
Icon for Nimbostratus rankNimbostratus
Jul 11, 2014

virtual server snatpool, only automap works for different vlan connection

There are several vlans hosted on our F5, for example vlan 1, vlan 2, and vlan 3, and the default router is on the same network as vlan 1, each vlan has self ip created, route domain is default including all the vlans.

 

The problem is that for virtual server created using SNAT pool, if automap is used, it always use the self ip on vlan 1 which has default router defined. Now we need to change the SNAT to use address on different vlan by creating snatpool using IP on vlan 2 for examle, then it fail to connect to backend server, backend server is on another vlan say vlan 4, and it works for backend servers on vlan2, the same vlan as the snatpool IP.

 

Here is the server side dump, 2.2.2.2 is self ip from vlan 2, 4.4.4.4 is server on vlan 4.

 

10:41:05.808877 IP 2.2.2.2.54584 > 4.4.4.4.443: S 211718454:211718454(0) win 4380

 

10:41:05.822667 IP 4.4.4.4.443 > 2.2.2.2.54584: S 3661148524:3661148524(0) ack 211718455 win 5792

 

10:41:05.823906 IP 2.2.2.2.54584 > 4.4.4.4.443: R 1:1(0) ack 1 win 0

 

Could you good people shed some light on this, how to let F5 SNAT from IP addresses on other vlans?

 

We have 6900 version 10.2.4

 

Thanks in advance!

 

application delivery
availability
design
LTM
management
performance

5 Replies

  • Pedro_Haoa's avatar
    Pedro_Haoa
    Ret. Employee
    Jul 11, 2014

    Hi,

     

    You must to specify in the SNAT pool a range of free IP addresses for every vlan that you need source address translation. Then, associate this SNAT pool to the virtual server.

     

    The BIG-IP SNAT pool will automatically select the appropriate IP address on the exit VLAN.

     

    More info: https://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html

     

  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Jul 11, 2014

    Automap translates source IP to floating self-IP of the egress vlan.

     

    A SNAT pool should contain an IP address that resides each possible egress VLAN network as Pedro has pointed out.

     

  • Hummingbird_143's avatar
    Hummingbird_143
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2014

    Thanks for your response!

     

    The backend server is on vlan4 which is at a different datacenter, I can't trunk vlan4 to F5, instead I want to use IP from vlan2 in virtual server's snappool to backend servers on vlan4, which doesn't work, as you can see from the tcpdumps in my first post, 2.2.2.2 send Reset to 4.4.4.4.

     

    Also I have added a virtual server using same snat address 2.2.2.2, and 4.4.4.4 has no problem to access that virtual server, so seems to me packet originated from F5 has problem to reach servers on vlan that not on F5?

     

    Thanks again Lily

     

    • Hummingbird_143's avatar
      Hummingbird_143
      Icon for Nimbostratus rankNimbostratus
      Jul 11, 2014
      Also, if I try to ping outside host from interface on F5 except vlan1 which has default router configured, ping fails, only ping from vlan1 interface works, the default route is upgrade router IP, listed on "Partition Default Route Domain" on F5, which includes vlan2, wonder why vlan2 traffic won't be able to use this default router to get out ? Any help or suggestions will be greatly appreciated!! Lily
  • gsharri's avatar
    gsharri
    Icon for Altostratus rankAltostratus
    Jul 11, 2014

    Sorry, I'm a bit lost trying to visualize your network/vlan architecture. Can you post a diagram that includes the addresses, vlans, F5s, and default gateway configuration you're describing?