cancel
Showing results for 
Search instead for 
Did you mean: 

NAT Pool Servers Outbound Internet Traffic

Kraig_52305
Nimbostratus
Nimbostratus
I have an Microsoft OCS server in a DMZ that normally just has imbound connections and replies back. VIP 1.1.1.1 and two pool servers 172.16.1.1 and 172.16.1.2. The problem that I have is that I need to NAT the 172.16.1. addresses when they build a connection out to the internet. Right now the real server IP is being used which would not be routable on the internet.

 

 

I was hoping that I could come up with an iRule that would NAT certain IP's (internet addresses) and not NAT my internal address space.

 

 

Any suggestions how to handle this?
7 REPLIES 7

The_Bhattman
Altostratus
Altostratus
You could create a 0.0.0.0:0 wildcard forwarding virtual server, create a snatpool that contains the possible public ip addresses that 172.16.1.x can use and apply that irule to the wildcard forwarding virtual server.

 

 

Here is an example of what the code could be

 

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 172.16.1.0/255.255.255.0] } { snatpool internet_nat } }

 

 

I hope this helps,

 

CB

 

 

harshpal_35434
Nimbostratus
Nimbostratus
can't we enable the outbound NAT with out the Irule ???

 

 

nitass
F5 Employee
F5 Employee
can't we enable the outbound NAT with out the Irule ??? you can use snat object as well. anyway, wildcard virtual server with irule may give you more granular control.

 

 

[root@ve1023:Active] config b snat outbound_snat list snat outbound_snat { translation 1.2.3.4 origins 172.16.1.0/24 vlans dmz enable }

harshpal_35434
Nimbostratus
Nimbostratus
Thanks Nitass,

 

 

i have try that one but it didn't work for me ,probably i would have missed some thing .

 

 

one question here do we need to attached the SNAT object somewhere in VS or Pool or on Member (in case of outbound NAT ) ?

 

 

i have try that feature in Radware but never in F5 ,i will have this tested again .

 

 

 

Regrads

 

Harsh

 

harshpal_35434
Nimbostratus
Nimbostratus

Nitaas,

 

 

Now i am able to setup ,SNAT for outbond . i can acess the internet from Server but i do see that i cant ping 4.2.2.2 or any othere internet IP ,i understand it is because of the property of SNAT as it do port translation ,Correct me is i am wrong .

 

 

But i undersand there can be a port limitation on bigip when we use SNAT for outbond .For an example if i am using SNAT where we need to loadbalance DNS servers which uses outbond SNAT to resolve DNS query .

 

 

is there any way we we can fine tune value for number of ports in bigip ?

 

=================

 

[root@localhost:Active] config b snat outbound_snat list

 

snat outbound_snat

 

{

 

translation 192.168.1.201

 

origins 192.168.1.0

 

vlans external enable

 

 

}

 

 

[root@localhost:Active] config b self show

 

SELF 192.168.1.40 mask 255.255.255.0

 

| VLAN external floating disable

 

SELF 192.168.3.1 mask 255.255.255.0

 

| VLAN internal floating disable

 

 

===================

 

Regards

 

Harshpal

 

nitass
F5 Employee
F5 Employee
can acess the internet from Server but i do see that i cant ping 4.2.2.2 or any othere internet IP ,i understand it is because of the property of SNAT as it do port translation ,Correct me is i am wrong .there is setting named "snat packet forwarding" at system > configuration > local traffic > general.

 

 

But i undersand there can be a port limitation on bigip when we use SNAT for outbond .For an example if i am using SNAT where we need to loadbalance DNS servers which uses outbond SNAT to resolve DNS query .you can use snatpool instead of only one translation address.

 

 

sol7820: Overview of SNAT features

 

http://support.f5.com/kb/en-us/solutions/public/7000/800/sol7820.html

 

 

hope this helps.

harshpal_35434
Nimbostratus
Nimbostratus
Thanks a lot all this worked for me .Awesome concept and top technology .

 

 

 

Cheers

 

Harsh