cancel
Showing results for 
Search instead for 
Did you mean: 

Fail to access DVWA which is behind F5 LTM

SamFok
Altostratus
Altostratus

hi Team,

 

Step 1.

Tried to setup the DVWA docker accordingly to below link:

https://github.com/ethicalhack3r/DVWA

docker run --rm -it -p 80:80 vulnerables/web-dvwa

 

When access the DVWA from internet, it works and can access the login page.

 

Step 2.

Then adds that DVWA server as pool member in F5 LTM, it then failed to access when access via the Virtual Server ip address from internet.

A few key items:

  1. the F5 setting should be correct, as once i change the pool member to a Nginx web server, it works instantly. Thus, the F5 configuration should be no problem. (SNAT auto-map is configured)
  2. if access the DVWA in the same network, it works
  3. the access.log of Apache shows below when behind the F5:

10.1.1.14 - - "GET /" 302 0 "-" "-"

Where the 10.1.1.14 is the VS IP address

 

Any clue? i wonder it may needs to change some configuration on Apache or so. See if anyone encounter before? Thanks

 

Br,

 

Sam Fok

 

 

3 REPLIES 3

Martin_Šebek
Altostratus
Altostratus

How does it come that log file on Apache shows 10.1.1.14 as a client IP address along with it is configured as VS IP address with SNAT automap? The traffic should be SNATed behind floating IP address of the eggress VLAN.

 

I would recommend using tcpdump to check what is going on.

tcpdump --nni 0.0:nnnp host 10.1.1.14

 

SamFok
Altostratus
Altostratus

Thanks Martin,

 

It may due to the F5 LTM is deployed as Single Nic in the GCP, where:

 

10.1.1.14: LTM IP (single nic)

10.1.1.15: DVWA IP

XX.XX.XX.XX: masked public ip from my computer

 

Capture the said tcp dump as attached, and in the last few entries,

 

------------------------------------------------

10:25:00.492238 IP 10.1.1.14.43358 > 10.1.1.15.80: Flags [F.], seq 10, ack 2, win 222, options [nop,nop,TS val 1013071 ecr 2516564255], length 0 in slot1/tmm0 lis= flowtype=66 flowid=5

600019C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E r

emoteport=80 localport=43358 proto=6 vlan=4094

 

10:25:00.492248 IP 10.1.1.14.43358 > 10.1.1.15.80: Flags [F.], seq 1908046924, ack 2, win 222, options [nop,nop,TS val 2592968267 ecr 2516564255], length 0 out slot1/tmm0 lis= flowtype

=130 flowid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFF

F:0A01010F remoteport=43358 localport=80 proto=6 vlan=4094

 

10:25:00.492398 IP 10.1.1.15.80 > 10.1.1.14.43358: Flags [.], ack 1908046925, win 1018, options [nop,nop,TS val 2516564255 ecr 2592968267], length 0 in slot1/tmm0 lis= flowtype=130 flo

wid=5600019C9D40 peerid=5600019C9C40 conflags=4000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010E peerlocal=00000000:00000000:0000FFFF:0A0101

0F remoteport=43358 localport=80 proto=6 vlan=4094

 

10:25:00.492407 IP 10.1.1.15.80 > 10.1.1.14.43358: Flags [.], ack 11, win 1018, options [nop,nop,TS val 2516564255 ecr 1013071], length 0 out slot1/tmm0 lis= flowtype=66 flowid=5600019

C9C40 peerid=5600019C9D40 conflags=24000E26 inslot=63 inport=23 haunit=0 priority=0 peerremote=00000000:00000000:0000FFFF:0A01010F peerlocal=00000000:00000000:0000FFFF:0A01010E remotep

ort=80 localport=43358 proto=6 vlan=4094

------------------------------------------------

 

it does see back and forth communication between the LTM and DVWA servers.

Any comment? thx.

 

Br,

Sam Fok

 

Martin_Šebek
Altostratus
Altostratus

Check the status of the pool you are sending traffic to. In tcpdump output there you can see resets with cause No pool member available. So it looks like BIG-IP has marked all pool members as down and therefore the whole VS is unavailable.