SNAT Translation List utility config
Hello everyone, Yesterday I encountered a case like this: I created Local Traffice -->'SNAT translation list', before creating SNAT list and SNAT POOL, after creating, some traffic of VS had 504 gateway error, however, the IP and vlan of VS is 172.31.33.0/24 while the SNAT traslation I created has IP 172.31.22.20-22. But right after I deleted SNAT, the traffic returned to normal. In conclusion, everyone, let me ask if creating 'SNAT Translation List" before creating SNAT and SNAT Pool has any effect. Sincerely thank you,
SNAT is not forwarding traffic towards Pool
VIP, Self IP and SNAT are in same VLAN but Pool member is in different VLAN. Pool is reachable from Self IP. VIP and Pools are up, SNAT pool added in VIP. Traffic is visible on VIP from internet but SNAT is not forwarding traffic towards pool. pls suggest on this ? Internet >> WAF VIP (vlan 123) >> SNAT (vlan 123) or Self IP (vlan 123) >> Pool (vlan 456)
APM - How to configure logging of snat addresses for network access and app tunnels
Hello everyone, we are using BIG-IP Access Policy Manager to enable administrative access to systems via App Tunnel and Network Access resources. For security reasons, we need to be able to map requests logged on backend resources/systems (e.g. in SSH audit logs) to the session or user accessing said backend resource via App Tunnel or Network Access in APM. Currently, the following request information is logged. Network Access: May 17 14:42:00 tmm0 tmm[22565]: 01580002:5: /APM/ap_rmgw:Common:c1237463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c1237463:15 packet: tcp 192.168.12.18:58680 -> 10.0.0.1:22 App Tunnels: May 17 14:41:10 tmm1 tmm1[22565]: 01580002:5: /APM/ap_rmgw:Common:c6787463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c6787463:0 packet: tcp 89.229.152.144:63252 -> 10.0.0.1:2 For Network Access requests, an IP address of the lease pool configured in the Network Access resource is logged as the client IP. For App Tunnel requests, the public IP of the client accessing APM is logged as the client IP. In our setup, both requests will be NATed by APM before hitting the target system (through a snat pool in case of a Network Access request, through the active appliances backend IP in case of App Tunnels). Therefore, the APM self IPs (snat pool/appliance backend) will be logged on the target host, leading to us not being able to correlate logs in APM with logs on the target systems. Is there any way to log the SNAT/NAT addresses and ports used to access target systems through APM? I've tried using ACCESS_ACL_ALLOWED in an iRule to log additional information, unfortunately this event only seems to trigger on Portal Access resources, not when using App Tunnels or Network Access resources. Thank you, Fabian
SNAT 1:1 - Map client public IP to nat pool IP
I have a situation were we have a BIG IP F5 load balancer in front of a MS RRAS server acting as a VPN concentrator. When a user connects to the VPN the radius auth is proxied through a Cisco ISE instance to tie the user to an IP address, this allows us to create identity based firewall rules. The problem is at the moment RRAS is seeing all clients coming from the load balancer because we have SNAT enabled. In Cisco ISE you can only have one active session per endpoint ID and all users are comming through as the same endpoint ID (the load F5's internal SNAT address). So my question, it is possible to setup SNAT in a way that each client will come from a unique SNAT address from a SNAT pool?
Wildcard in SNAT
I want configure an snat translation to change the source IP ltm tries to connect *.f5.com(say). Can I use wildcard in snat? If not, is there any other solution to this? Current Scenerio: LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1 [Takes 0.0.0.0/0] --> Internet Issue: FW1 does't support *, can't allow access only to *.f5.com. Proposed: LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] -->FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] -->FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet ORSNAT irule doesn't match for a FastL4 VS for an IPSEC VPN
Hi everybody, I have a problem to bring up an IPSEC Tunnel between 2 firewall with one of them behind an F5 BIGIP. What I did : Create a VS FastL4 (Source Address 0.0.0.0/0, Destination Address my_public_ip_used_for_the_vpn, Service port All_Ports, Protocol All, Source Address Translation NONE). For the SNAT I tried to use a SNAT POOL For the SNAT I tried to use an iRule : when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.199.0.1/32] } { snat X.X.X.X.85 nexthop X.X.X.X.1 log local0. " -- SNAT VPN IPSEC S2S -- [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" } } For the SNAT I tried to use GUI : In all case the F5 doesn't take my SNAT rule and the traffic take another public IP. On the peer device (which is not behind an F5) I have a log "Asymmetric Routing". It's normal because he tries to establish the tunnel with an IP and there is another IP that respond to him. On the F5 I can see it on the logs 16:30:36.409542 IP Y.Y.Y.Y.isakmp > X.X.X**.85**.isakmp: isakmp: phase 1 I ident 16:30:51.939720 IP 10.199.0.1.isakmp > Y.Y.Y.Y.isakmp: isakmp: phase 1 I ident 16:30:51.939732 IP X.X.X**.251**.20251 > Y.Y.Y.Y.isakmp: isakmp: phase 1 ? ident The peer device seems to successfully contact my firewall on Y.Y.Y.85 but the F5 respond with the Y.Y.Y.251 Is there anything that I forgot in the configuration?
SNAT node to VIP iRule
Hey everyone - V13 All nodes point to F5 as default gateway Forwarding IP VIP 0.0.0.0 We would like outbound connections from each node to SNAT to it's respective VIP IP. Does someone have a configuration/iRule that will work for this? Also, if there was a way to use the same iRule for each VIP (without IP changes), that would be ideal. So based on configuration below, how can node1 (10.4.55.10) SNAT from existing VIP (10.3.0.10) ? ltm virtual VIP1 { destination 10.3.0.10:5986 ip-protocol tcp mask 255.255.255.255 pool POOL1 profiles { tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm pool POOL1 { members { NODE1:5986 { address 10.4.55.10 session monitor-enabled state up } } monitor tcp_half_open } ltm virtual vs_0.0.0.0_any { destination 0.0.0.0:any ip-forward mask any profiles { fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled } net route external_default_gateway { gw 10.3.0.1 network default } net self FLOATING_IP { address 10.4.55.1/24 allow-service all floating enabled traffic-group traffic-group-1 unit 1 vlan NODE1_VLAN }
F5 LTM SNAT: only 1 outgoing connection, multiple internal clients
I have an F5 LTM SNAT configured: ltm snat /Common/outgoing_snat_v6 { description "IPv6 SNAT translation" mirror enabled origins { ::/0 { } } snatpool /Common/outgoing_snatpool_v6 vlans { /Common/internal } vlans-enabled } ... with a translation configured as: ltm snat-translation /Common/ext_SNAT_v6 { address 2607:f160:c:301d::63 inherited-traffic-group true traffic-group /Common/traffic-group-1 } ... with snatpool configured as: ltm snatpool /Common/outgoing_snatpool_v6 { members { /Common/ext_SNAT_v6 } } ... and finally, with the SNAT type set to automap: vs_pool__snat_type { value automap } The goal is to achieve a single Diameter connection (single source IP, port) between F5 and the external element, while internally multiple Diameter clients connect via F5 to the external element: However, what ends up happening with this SNAT configuration is that multiple outgoing Diameter connections to the external Diameter element are opened, with the only difference between them being the source port (source IP, destination IP and port remained the same). The external element cannot handle multiple connections per the same origin IP and the same Diameter entity (internal clients are all configured to use the same Origin-Host during the Capabilities Exchange phase). Is there a way to configure F5 to funnel all the internal connections into a single outgoing one?Please validate iRule to Load balance the traffic based on SNAT.
Hello Folks, I need your help by verifying my iRule, responsible to SNAT the traffic generated from one Site (B) and going to another site (A), and should select specif pool to communicate further. when CLIENT_ACCEPTED { if { [IP::addr [IP::remote_addr] equals 1.1.1.0 mask 255.255.255.0] } { snat 1.1.1.1 pool Test_Pool } else {pool Normal} } Brief information about customer setup. Client has 2 sites located on different geographic area. We are managing their network setup. Being an ISP, we are responsible to load balance all the traffic flowing between two sites. Now, they have configured their network in such a way, where SiteA should see only one specific IP address when SiteB tries to communicate with SiteA. At the same time, load balance should work for both the sites. Please feel free to reply if you need any further informaiton to verify the iRule or share a better one.Choose SNAT based on URL in HTTP_REQUEST
Hi, Due to lack of external IPs I have two URLs that are resolved to a single IP. This IP is further NATTED to an internal IP in my network (the one of a VS on F5). Based on URL in HTTP_REQUEST an iRule is sending traffic to a node in one of two networks: 10.0.0.32/27 (VLAN 1001) and 10.0.0.64/27 (VLAN 1002) when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "*.url1.com*"{ node 10.0.0.83 80 log local0 "Redirected to live pool [HTTP::host]" } "*.url2.com*"{ node 10.0.0.41 80 log local0 "Redirected to live pool [HTTP::host]" } } } The VS has (now) has VLAN and Tunnel traffic enabled on VLAN 1002 and address 10.0.0.88 in it's SNAT pool list. Due to my DC design when a VS is in the same subnet as the node everything is perfect. When the subnet is different the traffic needs to go through same firewall couple of times and it makes any future troubleshooting difficult. What i would like to achieve is to force F5 to use a different SNAT address, depending on which URL it received the traffic. I tried adding VLAN 1001 to enabled VLANS in VS, adding address 10.0.0.60 to SNAT pool and adding a line: snat 10.0.0.60 to the second part of the iRule. Needles to say no luck, and so far only the works fine, and does not. I have version 12 if that's relevant.
