NHLD

Marlon_JuarezMarlon_Juarez Member
edited November 12 in ADC - Application Delivery

Hello everyone! I would like to ask you for help, since I need to configure a client/server VPN where the client is the request from the internet, reaching A10, where it balances 3 links (NHLD), then the client's request the A10 must send it to the Firewall (LAN) which is the VPN server.

Thanks a lot for your help!

Tagged:

Comments

  • mdunnmdunn Member, A10ers ✭✭✭

    If I'm understanding correctly, the A10 is performing NHLD across 3 links, but for the VPN connections, do you want to send those connection to only 1 particular link? Are we trying to prevent load balancing these client VPN connections?

  • Marlon_JuarezMarlon_Juarez Member

    hello! Thanks for the answer, I'll tell you, the structure is as follows

    Client VPN > 3 links > NHLD > Firewall > LAN

    The client wants the VPN requests from Internet clients, regardless of the link, to be sent by the balancer to the FW so that it is the VPN server. Do you consider the request possible?

  • mdunnmdunn Member, A10ers ✭✭✭

    This should be possible. I'm imagining we may use a unique wildcard VIP + ACL for the VPN destination IP. Could you share a sanitized configuration for review?

  • Marlon_JuarezMarlon_Juarez Member

    At the moment there is no configuration, because it will be a new installation that we will carry out shortly

    but I wanted to go ahead by validating the possibility of making the request that the client requests

    Do you know any configuration that could help me with this?

  • mdunnmdunn Member, A10ers ✭✭✭

    There is a NHLD configuration example within the Application Delivery Controller admin guide as well as explanation of the configuration elements. One piece I'm curious about is in this flow:

    Client VPN > 3 links > NHLD > Firewall > LAN

    Are the "client VPN" connections sourcing from the public internet?

    Traditionally, NHLD is used to distribute connections from internal clients out to the internet across multiple firewalls or internet links. In your use-case, what function is NHLD performing for connections sourcing from the Internet destined for your private LAN?

  • Marlon_JuarezMarlon_Juarez Member

    Hello!

    That's right, the NHLD is being configured to be able to make internal connections from the LAN to 2 ISPs, and it is also correct that VPN clients originate the connection from the internet to the FW LAN

  • mdunnmdunn Member, A10ers ✭✭✭

    For traffic sourcing from the internet, these flows may pass through the A10, but unless you are load balancing those connections across the WAN side of multiple firewalls, the A10 should not process the flows. The ACLs tied to the Wildcard VIPs should be configured to intercept internal client connections. Traffic which is not intercepted by the wildcard VIPs will not be processed by SLB and will follow the route table on the A10 device.

  • Marlon_JuarezMarlon_Juarez Member

    Hello! mdunn! thank you for your help! I have the configuration.

    The thunder is performing the nhld function with two ISPs and 3 published sites, internet browsing and published sites work correctly, but there is a nateo that is made from one of the ISPs to a Private IP address (LAN) this nateo is used for SSL VPN connection in a Firewall

    I have tried to configure static NAT, Pool NAT, server with the IP of the destination but with none of the above options the request we failed to reach the VPN on the firewall, the firewall did manage to reach it but not the SSL VPN on the firewall

    at the time I took the configuration I was trying to do it with pool NAT, but I also tried with the static nat and it didn't work

    According to your answer to be able to perform the static NAT function I must configure an ACL with the IP so that they can match and send to the static nat, am I correct?

    This is the configuration


    !64-bit Advanced Core OS (ACOS) version 5.2.1-P9, build 72 (Nov-28-2023,00:39)
    !
    vrrp-a common
    device-id 2
    set-id 1
    enable
    exit-module
    !
    vcs enable
    !
    device-context 1
    vcs enable
    !
    device-context 2
    vcs enable
    !
    vcs floating-ip 172.1.1.221 255.255.255.0
    !
    vcs device 1
    priority 125
    interfaces management
    enable
    exit-module
    !
    vcs device 2
    priority 100
    interfaces management
    enable
    exit-module
    !
    authentication type local radius ldap
    authentication login privilege-mode
    authentication mode multiple
    !
    authentication console type local radius ldap

    !
    multi-config enable
    !
    ip dns primary 1.1.1.1
    !
    ip dns secondary 172.1.1.202
    !
    ip nat-global reset-idle-tcp-conn
    !
    vlan 1/4089
    untagged ethernet 2
    router-interface ve 4089
    name VLAN_ISP1
    exit-module
    !
    vlan 1/4091
    untagged ethernet 3
    router-interface ve 4091
    name VLAN_ISP2
    exit-module
    !
    vlan 1/4094
    untagged ethernet 1
    router-interface ve 4094
    name VLAN_LAN
    exit-module
    !
    vlan 2/4089
    untagged ethernet 2
    router-interface ve 4089
    name VLAN_ISP1
    exit-module
    !
    vlan 2/4091
    untagged ethernet 3
    router-interface ve 4091
    name VLAN_ISP2
    exit-module
    !
    vlan 2/4094
    untagged ethernet 1
    router-interface ve 4094
    name VLAN_LAN
    exit-module
    !
    vrrp-a vrid 0
    exit-module
    !
    device-context 1
    hostname thunder1
    !
    device-context 2
    hostname thunder2
    !
    device-context 1
    timezone America/Swift_Current
    !
    device-context 2
    timezone America/Swift_Current
    !
    device-context 1
    interface management
    ip address 172.1.1.218 255.255.255.0
    ip default-gateway 172.1.1.1
    exit-module
    !
    device-context 2
    interface management
    ip address 172.1.1.219 255.255.255.0
    ip default-gateway 172.1.1.1
    exit-module
    !
    interface ethernet 1/1
    enable
    exit-module
    !
    interface ethernet 1/2
    enable
    exit-module
    !
    interface ethernet 1/3
    enable
    exit-module
    !
    interface ethernet 1/4
    exit-module
    !
    interface ethernet 1/5
    exit-module
    !
    interface ethernet 1/6
    exit-module
    !
    interface ethernet 1/7
    exit-module
    !
    interface ethernet 1/8
    exit-module
    !
    interface ethernet 1/9
    exit-module
    !
    interface ethernet 1/10
    exit-module
    !
    interface ethernet 1/11
    exit-module
    !
    interface ethernet 1/12
    exit-module
    !
    interface ethernet 1/13
    exit-module
    !
    interface ethernet 2/1
    enable
    ip nat inside
    exit-module
    !
    interface ethernet 2/2
    enable
    ip nat outside
    exit-module
    !
    interface ethernet 2/3
    enable
    exit-module
    !
    interface ethernet 2/4
    exit-module
    !
    interface ethernet 2/5
    exit-module
    !
    interface ethernet 2/6
    exit-module
    !
    interface ethernet 2/7
    exit-module
    !
    interface ethernet 2/8
    exit-module
    !
    interface ethernet 2/9
    exit-module
    !
    interface ethernet 2/10
    exit-module
    !
    interface ethernet 2/11
    exit-module
    !
    interface ethernet 2/12
    exit-module
    !
    interface ethernet 2/13
    exit-module
    !
    interface ve 1/4089
    ip address 250.14.30.8 255.255.255.224

    ip nat outside

    exit-module
    !
    interface ve 1/4091
    ip address 240.13.31.9 255.255.255.240
    exit-module
    !
    interface ve 1/4094
    ip address 170.116.151.139 255.255.255.0
    ip allow-promiscuous-vip

    ip nat inside
    exit-module
    !
    interface ve 2/4089
    ip address 250.14.30.9 255.255.255.224
    ip nat outside
    exit-module
    !
    interface ve 2/4091
    ip address 240.13.31.10 255.255.255.240
    exit-module
    !
    interface ve 2/4094
    ip address 172.116.151.140 255.255.255.0
    ip allow-promiscuous-vip
    ip nat inside
    exit-module
    !
    vrrp-a vrid 0
    floating-ip 172.116.151.141
    floating-ip 250.14.30.11
    floating-ip 240.13.31.11
    device-context 1
    blade-parameters
    priority 150
    exit-module
    device-context 2
    blade-parameters
    priority 140
    exit-module
    exit-module
    !
    vrrp-a interface ethernet 1/1
    exit-module
    !
    vrrp-a interface ethernet 1/2
    exit-module
    !
    vrrp-a interface ethernet 1/3
    exit-module
    !
    vrrp-a interface ethernet 2/1
    exit-module
    !
    vrrp-a interface ethernet 2/2
    exit-module
    !
    vrrp-a interface ethernet 2/3
    exit-module
    !
    device-context 1
    disable-management service ping
    ethernet 1 to 13
    exit-module
    !
    device-context 2
    disable-management service ping
    ethernet 1 to 13
    exit-module
    !
    device-context 1
    disable-management service ntp
    ethernet 1 to 13
    ve 4089
    ve 4091
    ve 4094
    exit-module
    !
    device-context 2
    disable-management service ntp
    ethernet 1 to 13
    ve 4089
    ve 4091
    ve 4094
    exit-module
    !
    device-context 1
    ip route 0.0.0.0 /0 250.14.30.1 1 description "ISP1"
    ip route 0.0.0.0 /0 240.13.31.1 1 description "ISP2"
    ip route 0.0.0.0 /0 172.116.151.130 1 description LAN
    !
    device-context 2
    ip route 0.0.0.0 /0 250.14.30.1 1 description "ISP1"
    ip route 0.0.0.0 /0 240.13.31.1 1 description "ISP2"
    ip route 0.0.0.0 /0 172.116.151.130 1 description LAN
    !
    ip nat pool VPN_ISP1 250.14.30.2 250.14.30.2 netmask /27 gateway 250.14.30.1
    !
    ip nat pool pool_ISP2 240.13.31.8 240.13.31.8 netmask /28 gateway 240.13.31.1
    !
    ip nat pool pool_ISP2 250.14.30.8 250.14.30.8 netmask /27 gateway 250.14.30.1
    !
    ip nat pool-group POOLNAVEGACION
    member pool_ISP1
    member pool_ISP2
    exit-module
    !
    !
    slb template link-probe Prueba_NAVEGACION
    probe-interval 2
    probes-per-test 10
    test-interval 10
    selection-rule threshold
    user-tag NHLD_TM
    destination hostname www.a10networks.com resolve-to-ipv4
    exit-module
    !
    slb template port platilla_pool_nave
    source-nat POOLNAVEGACION
    exit-module
    !
    slb template port plantilla_pool_navega
    source-nat POOLNAVEGACION
    exit-module
    !
    slb server nodo_gw_ISP2 240.13.31.1
    health-check ping
    port 0 tcp
    health-check ping
    exit-module
    port 0 udp
    exit-module
    exit-module
    !
    slb server nodo_gw_ISP1 250.14.30.1
    port 0 tcp
    health-check ping
    exit-module
    port 0 udp
    exit-module
    exit-module
    !
    slb server nodo_mail 172.116.151.132
    health-check ping
    port 25 tcp
    exit-module
    port 25 udp
    exit-module
    exit-module
    !
    slb server nodo_portal1 172.116.151.144
    health-check ping
    port 443 tcp
    exit-module
    port 443 udp
    exit-module
    exit-module
    !
    slb server nodo_portal2 172.116.151.145
    health-check ping
    port 443 tcp
    exit-module
    port 443 udp
    exit-module
    exit-module
    !
    slb server s_VPN_NAVEGA 172.116.151.130
    port 443 tcp
    health-check ping
    exit-module
    exit-module
    !
    slb service-group pool_gw tcp
    health-check ping
    member nodo_gw_ISP1 0
    exit-module
    member nodo_gw_ISP2 0
    exit-module
    exit-module
    !
    slb service-group pool_gw_udp udp
    health-check ping
    member nodo_gw_ISP2 0
    exit-module
    member nodo_gw_ISP1 0
    exit-module
    exit-module
    !
    slb service-group pool_portal1 tcp
    health-check ping
    member nodo_portal1 443
    exit-module
    exit-module
    !
    slb service-group pool_portal1_UDP udp
    health-check ping
    member nodo_portal1 443
    exit-module
    exit-module
    !
    slb service-group pool_portal2 tcp
    health-check ping
    member nodo_portal2 443
    exit-module
    exit-module
    !
    slb service-group pool_portal2_UDP udp
    health-check ping
    member nodo_portal2 443
    exit-module
    exit-module
    !
    slb service-group pool_vpn tcp
    member s_VPN_NAVEGA 443
    exit-module
    exit-module
    !
    slb service-group pool_webmail tcp
    health-check ping
    member nodo_mail 25
    exit-module
    exit-module
    !
    slb service-group pool_webmail_UDP udp
    health-check ping
    member nodo_mail 25
    exit-module
    exit-module
    !
    slb virtual-server VS_GW 0.0.0.0
    port 0 others
    name VP_VS_GW_OTHERS
    clientip-sticky-nat
    source-nat pool POOLNAVEGACION
    service-group pool_gw_udp
    no-dest-nat
    exit-module
    port 0 tcp
    name VP_VS_GW_TCP
    clientip-sticky-nat
    source-nat pool POOLNAVEGACION
    service-group pool_gw
    no-dest-nat
    exit-module
    port 0 udp
    name VP_VS_GW_UDP
    clientip-sticky-nat
    source-nat pool POOLNAVEGACION
    service-group pool_gw_udp
    no-dest-nat
    exit-module
    exit-module
    !
    slb virtual-server VS_VPN_NAVEGA 250.14.30.2 /0
    port 443 tcp
    name tcp
    source-nat pool VPN_NAVEGA
    service-group pool_vpn
    exit-module
    exit-module
    !
    slb virtual-server vs_mail_ISP2 240.13.31.3 /0
    port 25 smtp
    name vp_vs_mail_ISP2
    clientip-sticky-nat
    source-nat auto
    service-group pool_webmail
    exit-module
    port 25 udp
    name vp_vs_mail_ISP2_UDP
    clientip-sticky-nat
    source-nat auto
    service-group pool_webmail_UDP
    exit-module
    exit-module
    !
    slb virtual-server vs_mail_ISP1 250.14.30.3 /0
    port 25 smtp
    name vp_vs_mail_ISP1
    clientip-sticky-nat
    source-nat auto
    service-group pool_webmail
    exit-module
    port 25 udp
    name vp_vs_mail_ISP1_udp
    clientip-sticky-nat
    source-nat auto
    service-group pool_webmail_UDP
    exit-module
    exit-module
    !
    slb virtual-server vs_portal1_ISP2 240.13.3.12 /0
    port 443 tcp
    name TCP
    clientip-sticky-nat
    source-nat auto
    service-group pool_portalpo
    exit-module
    port 443 udp
    name vp_vs_portalpo_claro2024
    clientip-sticky-nat
    source-nat auto
    service-group pool_portalpo_UDP
    exit-module
    exit-module
    !
    slb virtual-server vs_portal1_ISP1 250.14.30.12 /0
    port 443 tcp
    name TCP_TP
    clientip-sticky-nat
    source-nat auto
    service-group pool_portal1
    exit-module
    port 443 udp
    name vp_vs_portal1_ISP1_udp
    clientip-sticky-nat
    source-nat auto
    service-group pool_portal1_UDP
    exit-module
    exit-module
    !
    slb virtual-server vs_portal2_ISP2 240.13.3.7 /0
    port 443 tcp
    name TCP_PortPruebas
    clientip-sticky-nat
    source-nat auto
    service-group pool_portal2
    exit-module
    port 443 udp
    name vp_vs_portal2_ISP2_udp
    clientip-sticky-nat
    source-nat auto
    service-group pool_portal2_UDP
    exit-module
    exit-module
    !
    slb virtual-server vs_portal2_ISP1 250.14.30.7 /0
    port 443 tcp
    name TCP_PORT2
    clientip-sticky-nat
    source-nat auto
    service-group pool_portal2
    exit-module
    port 443 udp
    name vp_vs_portal2_ISP1_udp
    clientip-sticky-nat
    source-nat auto
    service-group pool_portal2_UDP
    exit-module
    exit-module
    !
    sflow setting local-collection
    !
    sflow collector ip 127.0.0.1 6343

    !rba-config-start
    !

    !rba-config-end
    !
    end

    Thanks for your help!

  • mdunnmdunn Member, A10ers ✭✭✭

    Static SNAT configuration is being discussed in new thread https://community.a10networks.com/discussion/comment/17341

Sign In or Register to comment.

© Copyright 2024 - A10 Networks Community - All Rights Reserved. | Legal