Network type virtual server
Hi, Probably obvious for network gurus but I can't figure it out. How network VS can be used? I can see how when Standard or PerformanceL4 type is used because they have pool attached. What I can't figure out is if using network VS has any sense for ForwardingIP VS. Lets say I have: SelfIP 192.168.1.1/24 Network VSNet with 192.168.2.1/24 Upstream router configured to route 192.168.2.1/24 to 192.168.1.1 So packets with dst IP in 192.168.2.1/24 will be send to SelfIP 192.168.1.1. Then processed by VSNet (dst IP match). But what next? Subnet 192.168.2.1/24 is local to BIG-IP so there is no outside route BIG-IP can send such traffic. So what happens next? Drop, Reject, some loop created. Piotr258Views0likes2CommentsProvide internet access for servers behind the LTM configured with 2 different route domains (Outside/Inside)
Hello everybody, Would you please help me provide internet access for one of my servers behind the LTM. I know how to do it without route domains but because of IPS Passthrough design I configured to different route domains. traffic from outbound (route domain outside) to inbound (route domain inside) is working fine but from inside to outside is not working. Any ideas appreciated.290Views0likes1CommentWildcard Virtual Server IP Forwarding
Hi - we have an SMTP server that sits off a DMZ vlan off the F5. The D/G for the SMTP server is the real address of the F5. We want to the SMTP server to be able to make SMTP calls to any SMTP servers on the internet. Therefore we do not know the destination IP addresses. We do not want to the F5 to NAT the source IP address in anyway (the next hop after the F5 is an internet facing firewall which will NAT the source IP to a relevant RIPE address). All the literature says - just create a "IP forwarding wild card virtual server". I have and it doesn't seem to work. I can see an SMTP request from the DMZ SMTP server to another server hit the F5 on the DMZ vlan interface by doing a tcpdump. I don't see it exit the box on the other vlan interface that faces the internet firewall. So the F5 is not passing it on? What I do notice is that when I create the wildcard forwarding server the status is "blue square" (presumably because it doesn't have any pool associated with it to say it should be green and up - but you don't have pools with wildcard forwarders do you ?). So when you create the wildcard forwarder - should it be green? The config for the wildcard VS is below (and yes this is not on the default routing domain). ltm virtual rd1-smtp-global { address-status no destination 0.0.0.0%1:any ip-forward mask any profiles { testfastl4 { } } source 0.0.0.0%1/0 translate-address disabled translate-port disabled vlans { rd1-smtp-1148 rd1-smtp-real-1140 } vlans-enabled vs-index 58 NB. the virtual address associated with the virtual server is marked as up and green cos I forced it up. But that makes no difference to the vs. I'm not sure what else I can do unless it's maybe a bug? - code version is 11.5.3. Any help greatly appreciated.1.5KViews0likes26CommentsVirtual Server - Type Forwarding IP
The customer has set up a virtual server IP Forwarding using type similar to a target router a network mask 24. However they would like to stay with the virtual server connections open only when the connection between the F5 and servers were connected. There is a possibility in the forwarding mode Ip monitor connections and starting the virtual server that you have open or closed ports?486Views0likes8CommentsFastl4 fwd vs required for network access vs?
I have a Network Access vs and access policy created to give users SSLVPN. However when this was originally done, a forwarding fastl4 VS was also configured to accept traffic from any source and destined for any destination on any port for all VLANS. I disabled this as a test and when VPN'd in I can no longer access anything (internal hosts, Internet, google.com, nothing). Why is this the case? No where in the documentation did I see this was necessary. I'm also concerned this VS is overly permissive. In addition, it seems like the static ACL's I am applying to restrict VPN access to specific internal networks are not working and I'm wondering if the forwarding VS is allowing this traffic to pass. For example, if I apply a static ACL to deny all traffic to the 10.0.0.0/8 network, I am still able to ping all hosts on that network when VPN'd in. Fwd_vs config: Type: Forwarding IP Source: any Dest Network: any All ports Protocol Profile: fastl4 All VLANS and Tunnels Access Policy for Network Access: Basically I assign the network access and webtop and for specific groups I assign the static ACL along with them, which are as follows. Allowed: any -> 10.50.1.0/24 Denied: any -> all RFC 1918 networks The ACL order is correct, matches the order above. With this configuration I am still able to reach the 10.0.0.0/8 network. A tracert confirms that I am exiting the internal interface of my BigIP and reaching the internal host through the VPN. So back to it, my question is two-fold. Why do I need a forwarding IP VS and could that be why my static ACL's are not working? Or are they two separate issues? Any help is appreciated. Thanks220Views0likes0Comments