Passing client IP's for FTP
Our FTP server(behind our f5) has an auto ban feature that is blocking the self ip address of F5 after multiple invalid logins. This in turn blocks all FTP traffic. I have use x-forwarder-for in the past but I cant seem to find the equivalent for FTP. Our workaround is to not auto ban IP addresses but this is a security risk. My solution is to move from Automap/SNAT to None (Routed Mode) and make the F5 the default gateway of the SFTP server (This would pass the real client IP at Layer 3). I seem to have a hit a roadblock on how to exactly do that. Current Config EXT listener (F5 virtual server) 10.10.10.181 > Pool Member (ftp server) 192.168.66.3 Self IP of F5 192.168.1.3 How would I specifically configure the Virtual Forwarding (IP) VS so it sends traffic destined for 10.10.10.181 to 192.168.66.3 while passing the real IP address? Do I need to create a static route on my router since the F5 and server are on different VLANs. When I set the DG to the self IP of F5 all traffic dies to that server (as expected). Any help is appreciated!
VPN and internet access issues - default gateway biting me.
Hi, We currently have an F5 configured using the APM/LTM for SSL VPN. For internet access we were using our web filtering appliances as a proxy setup as we don't allow split-tunnel. We are moving to NGFW and the proxies are going away. We've tried just removing the proxy configuration but the traffic hits the inside interface and then dies (I'm assuming it's because we have a static default route pointing to the firewalls DMZ IP). Our VPN is using an internally routable address and SNAT is off on it to allow users to use our VOIP software. I've searched Dev Central on topics like PBR, VRF, etc and I can't find any good examples how to accomplish what I need to do. I've read discussions regarding using FastL4, but most of the comments are just that, and no actionable code (I've got some F5 experience, but most of it basic). Back in my Cisco days, I would just put the outside (internet) in its own VRF, and I thought about using route domains, but I tried to create a new domain and move the external VLAN into it and I just got an error about it not being able to be moved (I'm wondering if this is because I have virtual servers using that IP scope?) Thanks for any direction. JonBIG-IP : SNAT necessary if device is only gateway to internet ?
F5 BIG-IP Virtual Edition v11.4.1 (Build 635.0) LTM on ESXi Our production BIG-IP devices are configured with virtual-servers with VIPs on public internet. Backend sites/services are on internal subnet and have no route to internet other than through BIG-IP. In this scenario is enabling SNAT necessary for backend sites/services to route response ( through BIG-IP ) to original client ( browser on www ) ? Or are other mechanisms available ? EDIT : More precisely, our backend servers are web-servers hosting various micro-sites & micro-services. In fact, some that require internet access ( to retrieve data from 3rd-party services such as Google Maps or Facebook ) do have their default gateway pointing to a forward-proxy-server we maintain specifically for that purpose. Others have their default gateway pointing to an internal switch ( no path to the internet ). AFAIK, no servers are configured with default route/gateway pointing to BIG-IP Self-IP.
Default Route Failure
Hi, Please I need assistance with this issue. I created a default route of 0.0.0.0/24 to 10.221.75.2 but traffic is not being directed to the. However, a route of 4.2.2.2 forwarded traffic to the same IP. What might the problem be? My colleague asked if F5 understands route 0.0.0.0?? Please I need this urgently. Thank you
Use Specific Gateway Pool based on SNAT address
Hi All, Currently we have 3 ISP Links which I am trying to get routing correctly based on outbound SNAT. I have created SNAT Pools for the internal subnets that contain a IPs from each of the three ISPs. The F5 seems to be SNATing to one of the external IP's from the pool then using our Wildcard Server, Round Robin to send the traffic down any one of the three ISP links. This results in the traffic going down the right link only every other time. ISP A ISP B ISP C Internal 192.168.20.0/24 Current Issue F5 -> Snat addresses 192.168.20.0/24 to external IP from ISP A -> Round Robin and send down link ISP A, B or C I would like to configure it so the F5 uses the correct ISP link based on its SNAT address. Someone please tell me this is possible? Best Regards, ScottNeed to Re-ip the VIPs, Self-ips and mgmt IPs
Hi Experts, I have following requirement: I have to re-ip some VIPs which are currently on 4.x.x.x/24 network to 10.x.x.x/24. Can I reconfigure the old VIPs with new IPs I have self-ip(static and floating) in External and Internal Vlans , which are also need to be re-ip to 10.x.x.x/24 segment. Can I change the IPs or do I need to create new self-Ips for external and internal VLans. I have a default route on my LTMs pointing to L3 switch : list /net route all-properties net route /Common/Gateway { description none gw 4.x.x.1 mtu 0 network default partition Common } Do I need to delete this default route and create a new route which will be a L3 SVI in 10.x.x.1 Can I keep the old default route and create a new for 10.x.x.1 , will that work. Can I use forwarding VIP. Also if I remove the old self-ips and the old default G/w , will it create any outage.. I am planning to do the configuration changes on Standby device first and then make it as Active and once tested successfully, I will sync the devices. Kindly assist.. It will be great help and much appreciate it !