NAT and Enabled On

Question

Hi,&nbsp;
I tried to figure out how Enabled On works for NAT entries (v13 VE). I am a bit surprised by results and would like to find out if this is kind of bug or correct behavior.&nbsp;
Scenario:&nbsp;
Two vlans: ext, int&nbsp;
NAT with: NAT Address in ext vlan, NAT Origin Address - IP of host_int in int vlan&nbsp;
Results for Enabled On&nbsp;
All - communication from/to host_int workingext - communication from/to host_int working - why? I understand why communication to host is working but why from host (initiated by host_int)int - no communication working, target host in ext vlan is receiving for example ping request but ARP request to resolve NAT Address MAC is not working - no reply from BIG-IP. Seems a bit strange but maybe there is logic here. Same if host in external vlan tries to reach host_int (see as well notes at the end)no vlan - no communication working - that is expected
One issue not directly related to BIG-IP. Is that usual host behavior to issue ARP request for src IP of ping request? After receiving ping request target host knows MAC of src IP. Is that kind of security measure to verify if src MAC in ping request really exists on attached network? Of course it's done when there is no MAC in ARP cache? Win 2008 Srv target host.&nbsp;
Strange is that when MAC is in ARP cache on target host reply is returned - BIG-IP is passing it back to host_int (case with NAT Enabled on int vlan). But right after this reply MAC is removed from ARP cache. Next request triggers ARP resolution but it fails and reply is not send back.&nbsp;
If MAC is added as static entry on target host then communication from host_int is working (no ARP resolution is needed so target host knows where to send reply)&nbsp;
Communication to host_int is not working in this case - seems that BIG-IP is silently dropping ping request send to NAT Address.&nbsp;
Another issue noticed: when two different NAT entries were created (IPs in the same subnets as described) and one of them was set to Enabled on - no vlan and latter on even disabled then another stopped to work - there were no ARP replies send from BIG-IP for this second NAT address.&nbsp;
After removing second NAT entry everything started to work - is that normal, or maybe just behavior on VE?&nbsp;
Piotr&nbsp;

johnbernardcheu · Answer

I see odd behaviour on VE v11 and VE v12 code also.  Traffic initiated from originating host(H1-the host who's address will be NATed) to the other host(H2) always goes thru regardless if all vlans are on disabled list(or no vlans are on enabled list).  However traffic initiated from the other host(H2) is controlled by whether its vlan is on the disabled list(or excluded from enable list).  I tried rebooting and that did not help.  TCP dumps also show traffic passing thru the LTM from the originating host(H1) to H2.  
&nbsp;
Can someone confirm that this is expected behaviour? If this isn't - how would it work?  Which vlan(s) need to go on enabled list for a NAT that only has an internal and external interface?&nbsp;

Forum Discussion

NAT and Enabled On

1 Reply

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Enable telnet on SSH

BIG-IP AFM設定例-NAT

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Enable SAML Service Provider on F5 Distributed Cloud Application

enable WebSocket profile.