Forum Discussion

jayantand's avatar
jayantand
Icon for Altostratus rankAltostratus
Jun 10, 2023

Wildcard in SNAT

I want configure an snat translation to change the source IP ltm tries to connect *.f5.com(say). Can I use wildcard in snat? If not, is there any other solution to this? Current Scenerio: LTM(src-1....
application delivery
pbf
pbr
snat
wildcard
whisperer's avatar
whisperer
Icon for MVP rankMVP
Jun 10, 2023

Are you trying to solve a different problem, or are you actually just looking to setup access for the BIGIP to F5 domain resources? There should be no reason, normally, for BIGIP to talk to F5, unless you are using IP reputational feeds, looking to auto re-activate license (which you can do manually), or auto send QKViews to iHealth (which you can do manually). Just looking to clarify that one bit 🙂

 

  • jayantand's avatar
    jayantand
    Icon for Altostratus rankAltostratus
    Jun 11, 2023

    Hi whisperer,

    I have two issues

    1. IP intelligence/ reputation feeds: as you mentioned that can be done manually as well, doing it that way now.

    2. I want configure an MS Teams webhook and I was told to allow *.office.com. This is where I am facing the challenge.

    The FW1 sitting inline (LTM->FW1->Internet) doesn't support wildcard. Hence I am thinking of these two approaches. Will be glad to find an easy alternative 😊

    LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

    LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

    • whisperer's avatar
      whisperer
      Icon for MVP rankMVP
      Jun 12, 2023

      Normally, I would say just trust the F5 self IPs out to Internet with a dedicated firewall rule. Don't do any URL whitelisting. BUT, if you don't use SNAT pools and use auto SNAT, that type of firewall policy would not be restrictive enough for potentially VIP related traffic -- for example, load balancing proxy servers.

      The issue is really how to differentiate F5 generated traffic from other traffic also hiding behind the SNAT IP address. If you can't, then perhaps a) whitelist multiple destinations, b) consider a more capable firewall, c) utilize automation like Ansible Tower to automate the update tasks.

      While there may be a solution for what you are trying to accomplish, I can't think of an "elegant one". I have seen in the past, companies use a dedicated network for management traffic where you could use static management routes for traffic to egreee MGMT interface, and then having a dedicated switch/firewall for controlling traffic.