enabled on
1 TopicNAT and Enabled On
Hi, I tried to figure out how Enabled On works for NAT entries (v13 VE). I am a bit surprised by results and would like to find out if this is kind of bug or correct behavior. Scenario: Two vlans: ext, int NAT with: NAT Address in ext vlan, NAT Origin Address - IP of host_int in int vlan Results for Enabled On All - communication from/to host_int working ext - communication from/to host_int working - why? I understand why communication to host is working but why from host (initiated by host_int) int - no communication working, target host in ext vlan is receiving for example ping request but ARP request to resolve NAT Address MAC is not working - no reply from BIG-IP. Seems a bit strange but maybe there is logic here. Same if host in external vlan tries to reach host_int (see as well notes at the end) no vlan - no communication working - that is expected One issue not directly related to BIG-IP. Is that usual host behavior to issue ARP request for src IP of ping request? After receiving ping request target host knows MAC of src IP. Is that kind of security measure to verify if src MAC in ping request really exists on attached network? Of course it's done when there is no MAC in ARP cache? Win 2008 Srv target host. Strange is that when MAC is in ARP cache on target host reply is returned - BIG-IP is passing it back to host_int (case with NAT Enabled on int vlan). But right after this reply MAC is removed from ARP cache. Next request triggers ARP resolution but it fails and reply is not send back. If MAC is added as static entry on target host then communication from host_int is working (no ARP resolution is needed so target host knows where to send reply) Communication to host_int is not working in this case - seems that BIG-IP is silently dropping ping request send to NAT Address. Another issue noticed: when two different NAT entries were created (IPs in the same subnets as described) and one of them was set to Enabled on - no vlan and latter on even disabled then another stopped to work - there were no ARP replies send from BIG-IP for this second NAT address. After removing second NAT entry everything started to work - is that normal, or maybe just behavior on VE? Piotr329Views0likes1Comment