I tried to figure out how Enabled On works for NAT entries (v13 VE). I am a bit surprised by results and would like to find out if this is kind of bug or correct behavior.
Two vlans: ext, int
NAT with: NAT Address in ext vlan, NAT Origin Address - IP of host_int in int vlan
Results for Enabled On
One issue not directly related to BIG-IP. Is that usual host behavior to issue ARP request for src IP of ping request? After receiving ping request target host knows MAC of src IP. Is that kind of security measure to verify if src MAC in ping request really exists on attached network? Of course it's done when there is no MAC in ARP cache? Win 2008 Srv target host.
Strange is that when MAC is in ARP cache on target host reply is returned - BIG-IP is passing it back to host_int (case with NAT Enabled on int vlan). But right after this reply MAC is removed from ARP cache. Next request triggers ARP resolution but it fails and reply is not send back.
If MAC is added as static entry on target host then communication from host_int is working (no ARP resolution is needed so target host knows where to send reply)
Communication to host_int is not working in this case - seems that BIG-IP is silently dropping ping request send to NAT Address.
Another issue noticed: when two different NAT entries were created (IPs in the same subnets as described) and one of them was set to Enabled on - no vlan and latter on even disabled then another stopped to work - there were no ARP replies send from BIG-IP for this second NAT address.
After removing second NAT entry everything started to work - is that normal, or maybe just behavior on VE?
I see odd behaviour on VE v11 and VE v12 code also. Traffic initiated from originating host(H1-the host who's address will be NATed) to the other host(H2) always goes thru regardless if all vlans are on disabled list(or no vlans are on enabled list). However traffic initiated from the other host(H2) is controlled by whether its vlan is on the disabled list(or excluded from enable list). I tried rebooting and that did not help. TCP dumps also show traffic passing thru the LTM from the originating host(H1) to H2.
Can someone confirm that this is expected behaviour? If this isn't - how would it work? Which vlan(s) need to go on enabled list for a NAT that only has an internal and external interface?