Forwarding Virtual Servers

Our web administrators would like to access the back-end server network. They all access from the same 10.1.10.0/24 subnet. Let’s create a virtual server that allows them and only them to get to the backend network. REMEMBER somewhere a router must have the route to the backend network inserted.

IP Forwarding Virtual Server

1. Create a new Forward (IP) type of virtual server named forward-to-servernet that only allows Source IPs from the 10.1.10.0/24, to the destination Network 10.1.20.0/24, all ports should be allowed and all protocols should be allowed.

   Q1. What happens if we don’t change the Protocol from TCP?

   Q2. What is the status of your new virtual server? Why?

2. Of course we are not going anywhere unless we install a route to the 10.1.20.0/24 network. From a command/terminal window on your jumpbox enter the add route command.

3. Windows requires elevated priveleges, click on Start, right click on Command Prompt, select Run as Administrator, select Yes at the pop-up:

   route add 10.1.20.0 mask 255.255.255.0 10.1.10.245
   

   

4. Verifiy your route has been added:

   netstat -r
   

   

5. Open up statistics for forward-to-servernet and from the jumpbox terminal window test access to the 10.1.20.0/24 subnet:

   • ping 10.1.20.11
   • nslookup hackazon.f5demo.com 10.1.20.12 (windows)
   • http://10.1.20.13 (from a browser)

By the way, if you take a look at the iApp templates you will find one for building IP Forwarding virtual servers.

More on Transparent Virtual Servers

You have a pool of servers running multiple applications (FTP, HTTP, SSH, etc) and you don’t want to create a virtual server for each application. In this case a transparent virtual server that doesn’t translate the port would work best.

Build your transparent pool and virtual server

1. Create a new pool called transparent-pool, use the gateway_icmp monitor with the member 10.1.20.14:* and 10.1.20.15:*, wildcard * for the port.

   Q1. Why did we use gateway_icmp? What other kind of monitor could we have used?

2. Create a virtual server called transparent-vs with a IP address of 10.1.10.95 with the wildcard port *, since we can’t put any L7 profiles on this virtual server a virtual server type of Performance (Layer 4) will be more efficient, Finally configure transparent-pool as the virtual server pool. Don’t forget to set SNAT Automap.

   Note

   Open the Advanced menu and notice that Address Translation is still enabled, but Port Translation is not.

3. Test your virtual server.

4. Browse to http://10.1.10.95.

   Q2. Did it work? What were the image results?

5. Browse to https://10.1.10.95.

   Q3. Did it work?

6. DNS is running to the LAMP server. SSH or PuTTY to 10.1.1.252 (LAMP server). In the LAMP terminal window:

   dig @10.1.10.95 hackazon.f5demo.com
   
   *Q4. Did it work? Why not and how would you fix it?*