11/21/2019 Basic set up using TMSH

Uno cial - F5 Networks Certi cation Exam Prep Material (../../index.html) > F5 301A - BIG-IP LTM Specialist Labs 11/01/19
(../class6.html) > Lab 1 - Basic Setup, TMSH and SNATs (module01.html)
Source (../../_sources/class6/module01/lab1.rst.txt) | Edit on  (https://github.com/f5devcentral/f5-agility-labs-cert)

Basic set up using TMSH¶

TMSH challenge¶

Access your BIG-IP, perform a basic build of networking, pool and virtual server and establish that
your environment is working. If you are unfamiliar with TMSH this is a good opportunity to get a
feel for it.

For BIG-IP WebUI access open a browser and access https://10.1.1.245. Log into the BIG-IP VE
system using the following credentials:

Username: admin
Password: admin

For BIG-IP terminal access, you have two options:

SSH Access from a Linux terminal window. Open a terminal window and type the following:
ssh root@10.1.1.245
Password: default

Select the PuTTY icon on the bottom task bar and select bigip01

 Note

If you use PuTTY, your MIDDLE mouse button or <shift> insert allows you to paste into
the window

Given the following information, network the BIG-IP and build a basic pool and virtual server using
SNAT automap.

VLANs Name: client_vlan server_vlan  

  Interface: 1.1 1.2  
IP Addressing Name: client_ip server_ip  
  IP Address: 10.1.10.245 10.1.20.245  
  Netmask: 255.255.255.0 255.255.255.0  
  VLAN: client_vlan server_vlan  
         
Pool Name: www_pool    
https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 1/5
11/21/2019 Basic set up using TMSH

  Members 10.1.20.11:80 10.1.20.12:80 10.1.20.13:80

Virtual Server Name: www_vs    
  Destination: 10.1.10.100:80    
  Pool www_pool    

Here are example TMSH command to help you:

Command examples for networking:

create net vlan <vlan-name> interfaces add { <interface> { untagged } }

create net self <ip_name> address <ip/mask> vlan <vlan_name>

create net route def_gw network 0.0.0.0/0 gw 10.1.10.1

Command example for creating pool:

create ltm pool <pool name> members add { <ip:port> <ip:port> <etc> } monitor http

Command example for creating a standard virtual server:

create ltm virtual <vs name> destination <ip:port> pool <pool name> ip-protocol tcp

Write your con guration to disk and create an archive:

save sys config

save sys ucs lab1-base-config

 Note

The tmsh commands to build the base con guration can be found in Module 3.12.

Log on to the BIG-IP WebUI and verify your virtual server is Available (green circle).

Using a new browser window (preferably a private browser window) access the web site at
http://10.1.10.100 (http://10.1.10.100)

Q1. In Request Detail at the top of the page, what is the client IP address and why?

SNATs and NATs¶

SNAT Pools¶

https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 2/5
11/21/2019 Basic set up using TMSH

You will build a new FTP application, to take a closer look at SNATs and SNAT Pools using the
tcpdump tool and view the connection table.

When building the FTP application you will use the default FTP pro le and use Auto Map for the
Source Translation address.

Go to Local Tra c > Pools and create a new pool.

Name ftp_pool
Health Monitor tcp
Address 10.1.20.11
Service Port 21

Go to Local Tra c > Virtual Servers and create a new virtual server.

Name ftp_vs
Destination Address 10.1.10.100
Service Port 21
FTP Pro le ftp
Source Address Translation Auto Map
Default Pool ftp_pool

Verify your FTP virtual server and pool are Available.

Open up a terminal window and SSH to the BIG-IP:

ssh root@10.1.1.245
Password: default

Or use PuTTY:

Username: root
Passwood: default

At the BIG-IP CLI prompt do a tcpdump of the server-side tra c and watch the FTP pool member:

tcpdump -nni server_vlan host 10.1.20.11

From a Linux terminal window FTP to 10.1.10.100. The logon credentials are root/default. It may take
15-20 to connect.

Q1. Do you see tra c destined for the for the FTP server? What is the source IP?

https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 3/5
11/21/2019 Basic set up using TMSH

Imagine a dozen virtual servers using using Auto Map. It would be extremely di cult to watch for
particular client tra c from a particular virtual server. Not to mention a SNAT IP address can only
handle 65535. SNAT pools can make management and debugging a little easier and keep port
exhaustion at bay.

Create a SNAT pool and assign it to the FTP server.

Go to Address Translation on the sidebar and select SNAT Pool List and create a new SNAT pool
named SNATpool_249 with 10.1.20.249 as a member.

Q2. Why might you require more than one IP address in the SNAT pool?

Go to the ftp_vs and change the Source Address Translation to the SNATpool_249 pool.

Let’s tried the tcpdump we did earlier, but have it limited to the pool member and SNAT pool IP:

tcpdump -nni server_vlan host 10.1.20.15 and 10.1.20.249

Now there is no extraneous tra c being seen. Open a terminal window and ftp to 10.1.10.100 and
log on to the ftp server. User: root Password: default

Q3. What is the client IP that shows up in the tcpdump?

Open up another SSH session to the BIG-IP, go into TMSH and dump the connection table:

show sys connection

Find the connection with your client IP 10.1.10.51 and the SNAT pool IP.

Q4. What are the ephemeral port numbers on your client-side source IP and server-side source IP?

More SNATs and NATs¶

Let’s take a look at using SNATs to allow internal resources to access external resources more
securely and the di erence between a SNAT and a NAT.

The LAMP server used for the internal server farm has a default gateway of 10.1.20.240 and has no
external access at this time, but you can SSH to it via the out-of-band management network at
10.1.1.252.

On the BIG-IP, add a new self IP address named server_gw to the VLAN server_vlan, with an IP
address of 10.1.20.240 and netmask of 255.255.255.0

From the jumpbox, SSH to the LAMP server at 10.1.1.252. You can open PuTTY, load the LAMP
(10.1.1.252) server pro le and SSH to the LAMP server or open a terminal window and ssh
root@10.1.1.252. The user credentials are root/default.

At the command prompt, attempt to hit the Google open DNS server:

https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 4/5
11/21/2019 Basic set up using TMSH

dig @8.8.4.4

Q1. Did the command succeed?

On the BIG-IP, open the SNAT List and select Create

Create a new SNAT translation Name: server_snat, used the IP address 10.1.10.248 for the
Translation and limit the allowed ingress tra c to VLAN server_vlan.

In a BIG-IP terminal window, do a tcpdump on the client_vlan, limited to the 10.1.20.248 and
8.8.4.4.

From the LAMP server try the dig command again and the try to ping 8.8.4.4 from the LAMP
server.

Q2. Did the dig work? What was the source IP?. Did the ping work? What was the result?

From the Linux prompt attempt to FTP to 10.1.10.248.

Q3. What happened when you try to FTP to the SNAT address?

Go to Statistics >> Module Statistics >> Local Tra c and select Statistics Type: SNAT Translations
and review the information.

Under Address Translation go to the NAT List and create a NAT named server_15_nat with a NAT
Address of 10.1.10.15 and an Origin Address of 10.1.20.15.

Attempt to FTP to 10.1.10.15. Attempt to ping 10.1.10.15.

Q4. When you attempted to FTP and ping 10.1.10.15 and access 10.1.20.15 behind the BIG-IP were
you successful?

https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 5/5