Forum Discussion

jayantand's avatar
jayantand
Icon for Altostratus rankAltostratus
Jun 10, 2023

Wildcard in SNAT

I want configure an snat translation to change the source IP ltm tries to connect *.f5.com(say). Can I use wildcard in snat? If not, is there any other solution to this?

Current Scenerio: LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1 [Takes 0.0.0.0/0] --> Internet

Issue: FW1 does't support *, can't allow access only to *.f5.com.

 

Proposed:

LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

  • Are you trying to solve a different problem, or are you actually just looking to setup access for the BIGIP to F5 domain resources? There should be no reason, normally, for BIGIP to talk to F5, unless you are using IP reputational feeds, looking to auto re-activate license (which you can do manually), or auto send QKViews to iHealth (which you can do manually). Just looking to clarify that one bit 🙂

     

    • jayantand's avatar
      jayantand
      Icon for Altostratus rankAltostratus

      Hi whisperer,

      I have two issues

      1. IP intelligence/ reputation feeds: as you mentioned that can be done manually as well, doing it that way now.

      2. I want configure an MS Teams webhook and I was told to allow *.office.com. This is where I am facing the challenge.

      The FW1 sitting inline (LTM->FW1->Internet) doesn't support wildcard. Hence I am thinking of these two approaches. Will be glad to find an easy alternative ðŸ˜Š

      LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

      LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

      • whisperer's avatar
        whisperer
        Icon for MVP rankMVP

        Normally, I would say just trust the F5 self IPs out to Internet with a dedicated firewall rule. Don't do any URL whitelisting. BUT, if you don't use SNAT pools and use auto SNAT, that type of firewall policy would not be restrictive enough for potentially VIP related traffic -- for example, load balancing proxy servers.

        The issue is really how to differentiate F5 generated traffic from other traffic also hiding behind the SNAT IP address. If you can't, then perhaps a) whitelist multiple destinations, b) consider a more capable firewall, c) utilize automation like Ansible Tower to automate the update tasks.

        While there may be a solution for what you are trying to accomplish, I can't think of an "elegant one". I have seen in the past, companies use a dedicated network for management traffic where you could use static management routes for traffic to egreee MGMT interface, and then having a dedicated switch/firewall for controlling traffic.