Basic Set Up Using TMSH
Basic Set Up Using TMSH
Basic Set Up Using TMSH
Uno cial - F5 Networks Certi cation Exam Prep Material (../../index.html) > F5 301A - BIG-IP LTM Specialist Labs 11/01/19
(../class6.html) > Lab 1 - Basic Setup, TMSH and SNATs (module01.html)
Source (../../_sources/class6/module01/lab1.rst.txt) | Edit on (https://github.com/f5devcentral/f5-agility-labs-cert)
TMSH challenge¶
Access your BIG-IP, perform a basic build of networking, pool and virtual server and establish that
your environment is working. If you are unfamiliar with TMSH this is a good opportunity to get a
feel for it.
For BIG-IP WebUI access open a browser and access https://10.1.1.245. Log into the BIG-IP VE
system using the following credentials:
Username: admin
Password: admin
SSH Access from a Linux terminal window. Open a terminal window and type the following:
ssh root@10.1.1.245
Password: default
Select the PuTTY icon on the bottom task bar and select bigip01
Note
If you use PuTTY, your MIDDLE mouse button or <shift> insert allows you to paste into
the window
Given the following information, network the BIG-IP and build a basic pool and virtual server using
SNAT automap.
create ltm pool <pool name> members add { <ip:port> <ip:port> <etc> } monitor http
create ltm virtual <vs name> destination <ip:port> pool <pool name> ip-protocol tcp
Note
The tmsh commands to build the base con guration can be found in Module 3.12.
Log on to the BIG-IP WebUI and verify your virtual server is Available (green circle).
Using a new browser window (preferably a private browser window) access the web site at
http://10.1.10.100 (http://10.1.10.100)
Q1. In Request Detail at the top of the page, what is the client IP address and why?
SNAT Pools¶
https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 2/5
11/21/2019 Basic set up using TMSH
You will build a new FTP application, to take a closer look at SNATs and SNAT Pools using the
tcpdump tool and view the connection table.
When building the FTP application you will use the default FTP pro le and use Auto Map for the
Source Translation address.
Name ftp_pool
Health Monitor tcp
Address 10.1.20.11
Service Port 21
Go to Local Tra c > Virtual Servers and create a new virtual server.
Name ftp_vs
Destination Address 10.1.10.100
Service Port 21
FTP Pro le ftp
Source Address Translation Auto Map
Default Pool ftp_pool
ssh root@10.1.1.245
Password: default
Or use PuTTY:
Username: root
Passwood: default
At the BIG-IP CLI prompt do a tcpdump of the server-side tra c and watch the FTP pool member:
From a Linux terminal window FTP to 10.1.10.100. The logon credentials are root/default. It may take
15-20 to connect.
Q1. Do you see tra c destined for the for the FTP server? What is the source IP?
https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 3/5
11/21/2019 Basic set up using TMSH
Imagine a dozen virtual servers using using Auto Map. It would be extremely di cult to watch for
particular client tra c from a particular virtual server. Not to mention a SNAT IP address can only
handle 65535. SNAT pools can make management and debugging a little easier and keep port
exhaustion at bay.
Go to Address Translation on the sidebar and select SNAT Pool List and create a new SNAT pool
named SNATpool_249 with 10.1.20.249 as a member.
Q2. Why might you require more than one IP address in the SNAT pool?
Go to the ftp_vs and change the Source Address Translation to the SNATpool_249 pool.
Let’s tried the tcpdump we did earlier, but have it limited to the pool member and SNAT pool IP:
Now there is no extraneous tra c being seen. Open a terminal window and ftp to 10.1.10.100 and
log on to the ftp server. User: root Password: default
Open up another SSH session to the BIG-IP, go into TMSH and dump the connection table:
Find the connection with your client IP 10.1.10.51 and the SNAT pool IP.
Q4. What are the ephemeral port numbers on your client-side source IP and server-side source IP?
Let’s take a look at using SNATs to allow internal resources to access external resources more
securely and the di erence between a SNAT and a NAT.
The LAMP server used for the internal server farm has a default gateway of 10.1.20.240 and has no
external access at this time, but you can SSH to it via the out-of-band management network at
10.1.1.252.
On the BIG-IP, add a new self IP address named server_gw to the VLAN server_vlan, with an IP
address of 10.1.20.240 and netmask of 255.255.255.0
From the jumpbox, SSH to the LAMP server at 10.1.1.252. You can open PuTTY, load the LAMP
(10.1.1.252) server pro le and SSH to the LAMP server or open a terminal window and ssh
root@10.1.1.252. The user credentials are root/default.
At the command prompt, attempt to hit the Google open DNS server:
https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 4/5
11/21/2019 Basic set up using TMSH
dig @8.8.4.4
Create a new SNAT translation Name: server_snat, used the IP address 10.1.10.248 for the
Translation and limit the allowed ingress tra c to VLAN server_vlan.
In a BIG-IP terminal window, do a tcpdump on the client_vlan, limited to the 10.1.20.248 and
8.8.4.4.
From the LAMP server try the dig command again and the try to ping 8.8.4.4 from the LAMP
server.
Q2. Did the dig work? What was the source IP?. Did the ping work? What was the result?
Q3. What happened when you try to FTP to the SNAT address?
Go to Statistics >> Module Statistics >> Local Tra c and select Statistics Type: SNAT Translations
and review the information.
Under Address Translation go to the NAT List and create a NAT named server_15_nat with a NAT
Address of 10.1.10.15 and an Origin Address of 10.1.20.15.
Q4. When you attempted to FTP and ping 10.1.10.15 and access 10.1.20.15 behind the BIG-IP were
you successful?
https://clouddocs.f5.com/training/community/f5cert/html/class6/module01/lab1.html 5/5