APM - How to configure logging of snat addresses for network access and app tunnels
Hello everyone, we are using BIG-IP Access Policy Manager to enable administrative access to systems via App Tunnel and Network Access resources. For security reasons, we need to be able to map requests logged on backend resources/systems (e.g. in SSH audit logs) to the session or user accessing said backend resource via App Tunnel or Network Access in APM. Currently, the following request information is logged. Network Access: May 17 14:42:00 tmm0 tmm[22565]: 01580002:5: /APM/ap_rmgw:Common:c1237463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c1237463:15 packet: tcp 192.168.12.18:58680 -> 10.0.0.1:22 App Tunnels: May 17 14:41:10 tmm1 tmm1[22565]: 01580002:5: /APM/ap_rmgw:Common:c6787463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c6787463:0 packet: tcp 89.229.152.144:63252 -> 10.0.0.1:2 For Network Access requests, an IP address of the lease pool configured in the Network Access resource is logged as the client IP. For App Tunnel requests, the public IP of the client accessing APM is logged as the client IP. In our setup, both requests will be NATed by APM before hitting the target system (through a snat pool in case of a Network Access request, through the active appliances backend IP in case of App Tunnels). Therefore, the APM self IPs (snat pool/appliance backend) will be logged on the target host, leading to us not being able to correlate logs in APM with logs on the target systems. Is there any way to log the SNAT/NAT addresses and ports used to access target systems through APM? I've tried using ACCESS_ACL_ALLOWED in an iRule to log additional information, unfortunately this event only seems to trigger on Portal Access resources, not when using App Tunnels or Network Access resources. Thank you, FabianDNS: reply from unexpected source
Hi, Firstly, I must say that I am a complete newbie when it comes to BIG-IP products. On the other hand, the load balancer was configured by experts, so I am pretty confident that they made a reasonably good job. I have two DNS servers (DNS1 and DNS2) and a BIG-IP F5 14.1.4.6 load balancer. Both DNS servers' default gateway is the F5. When a DNS client asks the DNS service in the F5, the load balancer sends the request to one of the DNS servers keeping the client's IP. Then, on receiving the reply from the DNS server, the F5 sends the reply to the client using its own IP (with SNAT). This way, the DNS client only talks to the F5. On the other hand, when a DNS client ask one of the DNS servers directly, the DNS server sends the reply to the default gateway (the F5) and the packet is routed to its destination without any change. Nevertheless, every now and then I am facing replies from unexpected sources. For instance, sometimes the client asks DNS1 but it gets the reply from the F5. Thus, I get messages like this: ;; reply from unexpected source: bigip#53, expected dns1#53 It looks like that, on receiving the reply from DNS1, the F5 replaces the packet's source IP (SNAT) with its own ip. Example: Right behaviour: PC -> DNS query to F5 service -> F5 -> sends a query to DNS1 or DNS2 keeping the PC's source IP -> DNS1 replies to the F5 (its default gateway) -> F5 replaces source IP (SNAT) and sends the reply to the PC -> the PC receives the reply from the service it asked to. PC -> sends a DNS query to DNS1 -> DNS1 replies to the F5 (its default gateway) -> the F5 somehow knows that the reply was sent directly to DNS1 and forwards the reply to the PC keeping DNS1's IP address -> the PC receives the reply from the server it asked to (DNS1). Wrong behaviour PC -> sends a DNS query to DNS1 -> DNS1 replies to the F5 (its default gateway) -> the F5 replaces the packet's source IP (DNS1) with its own IP and forwards the reply to the PC -> the PC receives the reply from an unexpected server (F5). Can you give me a hand to solve this? Maybe you can just give me a hint to start looking for the solution. Thanks in advance. Regards,
Outbound SNAT for servers: Destination Net Prohibited
Hi, Probably something simple ... I am trying to set up outbound connections for servers behind my F5 LTM. My assumption was that an outbound SNAT (using auto map)as per the configuration guides would accomplish this. Unfortunately not. When I do a test ping I get the message back from the Big IP: Destiantion Net Prohibited: When I configure a static NAT for a particular server everything is fine. The configuration guide does not mention any additional configuration required for this outbound snat scenario. I believe that NAT or SNAT should be sufficient to allow traffic through the LTM. For NAT this is the case. In the end I have created a "Forwarding IP" Virtual server for all source IPs and I have bound that to my internal interface. The Virtual server is suing "auto map" as well for source IP address translation. I would prefer to use the outbound SNAT and not the Virtual server. If someone could help identify the issue, I would appreciate it. Many thanks,
Preserve original source IP with SNAT for SMTP
Hi guys, Reading through various posts here on devcentral I have a feeling I will not be able to achieve what I want but I rather ask again. Our topology looks like: source -> firewall -> F5 LTM -> firewall -> router -> backend servers I am trying to load balance SMTP but the server guys need to see the original source IP in order to allow or deny sending emails. The problem is that I need to work with SNAT because the backend servers are far from the LB, behind another firewall and router. Their default gateway must be the one of the router. If I keep the original source IPs, I would face asymmetric routing and the some firewall on the way back would kill the session. We checked the backend SMTP server configuration and there is no other way to allow/deny sources there except of the IP addresses. So can I load balance SMTP traffic with SNAT while somehow be able (on the backend server) to tell what was the original source IP? Thanks.
Use VIP address as source
Hello everyone, How can I allow the VIP IP as a source when the Pool Member iniciates the connection on a specific port? I tried with a NAT but it will NAT all the traffic I need only to NAT with when the pool member iniciates the traffic in a specific port. (Actually the NAT didn't work, I have a capture on a FW and the connection is using the self IP of the F5). I tried with a SNAT and SNAT Pool but it doesn't worked either, I can see the self IP in the FW when the server iniciates the traffic. I also tried with an iRULE, something like this: when CLIENT_ACCEPTED { if {[TCP::local_port] == 2196} { snatpool SNAT_POOL_TEST } pool airwatch-AWCM-2001 } Thank in advance for your responses. Regards, Jose Charpentier F
F5 LTM SNAT: only 1 outgoing connection, multiple internal clients
I have an F5 LTM SNAT configured: ltm snat /Common/outgoing_snat_v6 { description "IPv6 SNAT translation" mirror enabled origins { ::/0 { } } snatpool /Common/outgoing_snatpool_v6 vlans { /Common/internal } vlans-enabled } ... with a translation configured as: ltm snat-translation /Common/ext_SNAT_v6 { address 2607:f160:c:301d::63 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ... with snatpool configured as: ltm snatpool /Common/outgoing_snatpool_v6 { members { /Common/ext_SNAT_v6 } } ... and finally, with the SNAT type set to automap: vs_pool__snat_type { value automap } The goal is to achieve a single Diameter connection (single source IP, port) between F5 and the external element, while internally multiple Diameter clients connect via F5 to the external element: However, what ends up happening with this SNAT configuration is that multiple outgoing Diameter connections to the external Diameter element are opened, with the only difference between them being the source port (source IP, destination IP and port remained the same). The external element cannot handle multiple connections per the same origin IP and the same Diameter entity (internal clients are all configured to use the same Origin-Host during the Capabilities Exchange phase). Is there a way to configure F5 to funnel all the internal connections into a single outgoing one?
iRule SNAT for multiple ISP
Hi, I tried to configure an iRule to SNAT specific LAN to a specific ISP (wan link). When I bind this iRule to my default VS (in fastL4) the iRule doesn't match when I generate traffic from my lan. I don't know if my iRule is good... : when CLIENT_ACCEPTED { set my_ip [IP::client_addr] if { [IP::addr [IP::client_addr] equals X.X.X.X/26] or [IP::addr [IP::client_addr] equals Y.Y.Y.Y/26]} {snat Z.Z.Z.Z pool default_gw_pool } else {snatpool snat_pool-CLD_ALL pool default_gw_pool } } Some have an idea?inline configuration
Hi, I have configuration: NET => FW => F5 => SRV I have VS1 which forwards traffic to SRV (no SNAT used, not possible to do XFF so source address of client is seen). F5 is def gw for SRV. On F5 there is also forwarding IP VS 0/0 and def route to FW. FW also have static route for SRV subnet poiting to F5. Questions: 1. Client from net goes to VS1 (SNAT off) is redirected to SRV (source address is seen, destination nat is in place to pass traffic to SRV). I assume that return traffic from SRV is hitting VS 0/0 (am I right?) VS 0/0 have snat off. And I also assume that source address of SRV is changed to VS1 IP (am I also right?). If not, should I do some SNAT on VS 0/0? Second example. When server is originating connection to NET it hits VS 0/0, is that right? No SNAT is configured so source address of server is seen outside? The route on FW pass traffic back to SRV via F5. If point 1 is true (so when return traffic is automatically SNATed back to VS1 IP) what determines that traffic is SNATed or not? Is it previously created session/entry for DNAT when traffic originating from Net hits VS1?
Selective SNAT in VPN
I have a fully working VPN (Network Access) on BIGIP; very easy to set tup. I have an RFC1918 IP pool 10.10.1.1-10.10.1.254 allocated for the VPN clients, and my BIGIP has a couple of network interfaces. If I enable AutoMap, everything works nicely. Question: is it possible to do a selective SNAT based on where the client wants to go? If yes, how? I'm trying to keep the RFC1918 IPs when clients talk to internal resources in our network, but I would like to SNAT only the traffic going to the Internet (it leaves through a specific interface that has it's own self-ip).
