NAT IPv6 to IPv6 (NAT66)
Hi, I have a scenario which requires us to do ipv6 to ipv6 natting. (map a private-ipv6 to a public-ipv6) We are using the soft version 13.1.1.4 and it seems it doesn't properly work. We tried the following: 1. cfged a snat pool list w/ one ipv6 address, next this snat was assigned to our ipv6 virtual-server. tshooting it w/ tcpdump shows no translation occurs. i found under the 14.x release notes a bug ID681070 whichseems similar "NAT66 may fail if configured with a single translation address". we then tried to cfg the snat pool list w/ an ipv6/124 prefix resultingin errors by the f5 saying " 01020059:3: IP Address :: is invalid, must not be all zeros." tried using an iRULE w/ plain when client_accepted, snat ipv6address... this didn't work either, we receiving TCL errors bad IP address format (line 1)TCL error (line 1) (line 1) invoked from within "snat xxxx:6xx0:0001:0100:00xx:0xx5:0104:0/124" Did anyone successfully configure something like this? Any ideas will be very much appreciated. thanks,
AFM NAT - how to implement
Hi, That is probably something easy and I have to be missing tiny detail but as for now I am stuck :-( I need to create something that I think is classic FW NAT. My goal is like that: Single VIP on BIG-IP Client connecting to VIP port X is NATed to backend IP Y port X (other option is changing port on backend) Client connecting to VIP port Y us NATed to backend IP Z port Y, and so on What I did: Created PerformanceL4 VS with all ports, no pool, no SNAT, Address and Port Translation checked Created AFM NAT policy like on image below Assigned this policy to VS via Security > Policies: Network Address Translation, Policy option (Use Device Policy and Use Route Domain Policy unchecked) Unfortunately it's not working. When connecting to VIP:887 from client I am getting RST (not immediately, most often after 2-3 SYN retries). Notice that my NAT policy is reporting hits, so seems that client side part is working but not server side. I can of course ping (and do HTTP connection) to IP:port listed as Translated Destination. When checking show net rst-cause I can't see any related (at least in my opinion) causes - only increasing counters are: VIP disabled (administrative) handshake timeout - that might be related? There is counter named (FW NAT) dst_trans failed. but it shows 0 Maybe another clue is that client after first SYN is receiving ICMP Host unreachable from BIG-IP floating IP on the VIP VLAN. I can't see as well any traffic on backend side. Even ARP request for Translated IP. So what I am doing wrong? Another question is if I need separate AFM Network policy for such VIP - I mean to control allowed destination ports or having just AFM NAT policy is enough (seems that it as well allows to control Source IP so even for that AFM FW policy should not be needed). In other words if there is incoming traffic to port not defined in AFM NAT policy will it be anyway rejected or not? Piotr
