Unofficial - F5 Certification Exam Prep Material > F5 301A - BIG-IP LTM Specialist Labs - Created 11/01/19 > Lab 6 - Virtual Servers and Packet Processing Review Source | Edit on

Forwarding Virtual Servers¶

Our web administrators would like to access the back-end server network. They all access from the same 10.1.10.0/24 subnet. Let’s create a virtual server that allows them and only them to get to the backend network. REMEMBER somewhere a router must have the route to the backend network inserted.

IP Forwarding Virtual Server¶

Create a new Forward (IP) type of virtual server named forward-to-servernet that only allows Source IPs from the 10.1.10.0/24, to the destination Network 10.1.20.0/24, all ports should be allowed and all protocols should be allowed.

Q1. What happens if we don’t change the Protocol from TCP?

Q2. What is the status of your new virtual server? Why?

Of course we are not going anywhere unless we install a route to the 10.1.20.0/24 network. From a command/terminal window on your jumpbox enter the add route command.

Windows requires elevated priveleges, click on Start, right click on Command Prompt, select Run as Administrator, select Yes at the pop-up:

route add 10.1.20.0 mask 255.255.255.0 10.1.10.245

Linux (enter the user password when prompted):

sudo route add -net 10.1.20.0/24 gw 10.1.10.245

Enter f5DEMOs4u if prompted for a password.

Verifiy your route has been added (works for Windows and Linux):

netstat -r

Open up statistics for forward-to-servernet and from the jumpbox terminal window test access to the 10.1.20.0/24 subnet:

ping 10.1.20.11

nslookup hackzon.f5demo.com 10.1.20.12 (windows) or dig @10.1.20.12 hackazon.f5demo.com (linux)

http://10.1.20.13 (from a browser) or curl 10.1.20.13 (linux)

By the way, if you take a look at the iApp templates you will find one for building IP Forwarding virtual servers.

More on Transparent Virtual Servers¶

You have a pool of servers running multiple applications (FTP, HTTP, SSH, etc) and you don’t want to create a virtual server for each application. In this case a transparent virtual server that doesn’t translate the port would work best.

Build your transparent pool and virtual server

Create a new pool called transparent-pool, use the gateway_icmp monitor with the member 10.1.20.14:* and 10.1.20.15:*, wildcard * for the port.

Q1. Why did we use gateway_icmp? What other kind of monitor could we have used?

Create a virtual server called transparent-vs with a IP address of 10.1.10.95 with with the wildcard port *, since we can’t put any L7 profiles on this virtual server a virtual server type of Performance (Layer 4) will be more efficient, Finally configure transparent-pool as the virtual server pool.

Note

Open the Advanced menu and notice that Address Translation is still enabled, but Port Translation is not.

Test your virtual server.

Browse to http://10.1.10.95.

Q2. Did it work? What were the image results?

Browse to https://10.1.10.95.

Q3. Did it work?

DNS is running to the LAMP server. SSH or PuTTY to 10.1.1.252 (LAMP server). In the LAMP terminal window:

dig @10.1.10.95 hackazon.f5demo.com

Q4. Did it work? Why not and how would you fix it?

Previous Next