Basic set up using TMSH

TMSH challenge

Access your BIG-IP, perform a basic build of networking, pool and virtual server and establish that your environment is working. If you are unfamiliar with TMSH this is a good opportunity to get a feel for it.

For BIG-IP WebUI access open a browser and access Log into the BIG-IP VE system using the following credentials:

Username: admin

For BIG-IP terminal access, you have two options:

  • SSH Access from a Linux terminal window. Open a terminal window and type the following:

    ssh root@
    Password: default
  • Select the PuTTY icon on the bottom task bar and select bigip01

Given the following information, network the BIG-IP and build a basic pool and virtual server using SNAT automap.

VLANs Name: client_vlan server_vlan  
  Interface: 1.1 1.2  
IP Addressing Name: client_ip server_ip  
  IP Address:  
  VLAN: client_vlan server_vlan  
Pool Name: www_pool    
Virtual Server Name: www_vs    
  Pool www_pool    

Here are example TMSH command to help you:

Command examples for networking:

create net vlan <vlan-name> interfaces add { <interface> { untagged } }

create net self <ip_name> address <ip/mask> vlan <vlan_name>

create net route def_gw network gw

Command example for creating pool:

create ltm pool <pool name> members add { <ip:port> <ip:port> <etc> } monitor http

Command example for creating a standard virtual server:

create ltm virtual <vs name> destination <ip:port> pool <pool name> ip-protocol tcp source-address-translation { type automap }

Write your configuration to disk and create an archive:

save sys config
save sys ucs lab1-base-config


The tmsh commands to build the base configuration can be found in Module 3.12.

Log on to the BIG-IP WebUI and verify your virtual server is Available (green circle).

Using a new browser window (preferably a private browser window) access the web site at

Q1. In Request Detail at the top of the page, what is the client IP address and why?

SNATs and NATs

SNAT Pools

You will build a new FTP application, to take a closer look at SNATs and SNAT Pools using the tcpdump tool and view the connection table.

When building the FTP application you will use the default FTP profile and use Auto Map for the Source Translation address.

Go to Local Traffic > Pools and create a new pool.

Name ftp_pool
Health Monitor tcp
Service Port 21

Go to Local Traffic > Virtual Servers and create a new virtual server.

Name ftp_vs
Destination Address
Service Port 21
FTP Profile ftp
Source Address Translation Auto Map
Default Pool ftp_pool

Verify your FTP virtual server and pool are Available.

Open up a terminal window and SSH to the BIG-IP:

ssh root@
Password: default

Or use PuTTY:

Username: root
Passwood: default

At the BIG-IP CLI prompt do a tcpdump of the server-side traffic and watch the FTP pool member:

tcpdump -nni server_vlan host

From a Linux terminal window FTP to The logon credentials are root/default. It may take 15-20 to connect.

Q1. Do you see traffic destined for the for the FTP server? What is the source IP?

Imagine a dozen virtual servers using using Auto Map. It would be extremely difficult to watch for particular client traffic from a particular virtual server. Not to mention a SNAT IP address can only handle 65535. SNAT pools can make management and debugging a little easier and keep port exhaustion at bay.

Create a SNAT pool and assign it to the FTP server.

Go to Address Translation on the sidebar and select SNAT Pool List and create a new SNAT pool named SNATpool_249 with as a member.

Q2. Why might you require more than one IP address in the SNAT pool?

Go to the ftp_vs and change the Source Address Translation to the SNATpool_249 pool.

Let’s tried the tcpdump we did earlier, but have it limited to the pool member and SNAT pool IP:

tcpdump -nni server_vlan host and

Now there is no extraneous traffic being seen. Open a terminal window and ftp to and log on to the ftp server. User: root Password: default

Q3. What is the client IP that shows up in the tcpdump?

Open up another SSH session to the BIG-IP, go into TMSH and dump the connection table:

show sys connection

Find the connection with your client IP and the SNAT pool IP.

Q4. What are the ephemeral port numbers on your client-side source IP and server-side source IP?

More SNATs and NATs

Let’s take a look at using SNATs to allow internal resources to access external resources more securely and the difference between a SNAT and a NAT.

The LAMP server used for the internal server farm has a default gateway of and has no external access at this time, but you can SSH to it via the out-of-band management network at

On the BIG-IP, add a new self IP address named server_gw to the VLAN server_vlan, with an IP address of and netmask of

From the jumpbox, SSH to the LAMP server at You can open PuTTY, load the LAMP ( server profile and SSH to the LAMP server or open a terminal window and ssh root@ The username is f5 no other credentials are required, it may take up to 30 seconds to login.

Once logged in, change yourself to root:

su root
Password: default

At the command prompt, attempt to hit the Google open DNS server:

dig @

Q1. Did the command succeed?

On the BIG-IP, open the SNAT List and select Create

Create a new SNAT translation Name: server_snat, used the IP address for the Translation and limit the allowed ingress traffic to VLAN server_vlan.

In a BIG-IP terminal window, do a tcpdump on the client_vlan, limited to the and

From the LAMP server try the dig command again and the try to ping from the LAMP server.

Q2. Did the dig work? What was the source IP?. Did the ping work? What was the result?

From the Linux prompt attempt to FTP to

Q3. What happened when you try to FTP to the SNAT address?

Go to Statistics >> Module Statistics >> Local Traffic and select Statistics Type: SNAT Translations and review the information.

Under Address Translation go to the NAT List and create a NAT named server_15_nat with a NAT Address of and an Origin Address of

Attempt to FTP to Attempt to ping

Q4. When you attempted to FTP and ping and access behind the BIG-IP were you successful?