Forum Discussion

Jon_46044's avatar
Jon_46044
Icon for Nimbostratus rankNimbostratus
Sep 25, 2007

Probably a fairly simplistic network route, but I'm confusing myself, so...

Just had some LTMs intalled in Active Passive setup. Got a test site setup using public IPs and SNAT. We'd like to change to private IP addresses, and use the LTMs to balance/access the site. Cu...
config
design
johns's avatar
johns
Icon for Employee rankEmployee
Sep 26, 2007
What you are trying to do is to route through, as you said. LTM is a default-deny device like a firewall, and you need to configure what is known as "Forwarding Virtual Server". For example, in order to allow outbound access from the 10.10.10.29, you would need to configure 0.0.0.0 forwarding virtual server on port 0 enabled on the 10.10.10 VLAN, which will allow traffic to ANY destination using ANY destination port from hosts on that VLAN.

 

 

virtual route_thru {

 

ip forward

 

destination any:any

 

mask none

 

vlans internal enable

 

}

 

 

If you were to enable this on "All VLANS", which is the default, then any host on anywhere with route using the LTM as gateway will be able to route through. This may not be a good security practice, so enabling on a specific VLAN where traffic will be originated from is what I'd recommend.

 

 

In order to pass traffic from your management station to the server, you will need something similar. Since one can consider the 72.X.X network to be "unsecured", you will want to lock it down. I suggest creating a forwarding virtual server as above:

 

 

virtual route_72_thru {

 

ip forward

 

destination 10.10.10.0:any

 

mask 255.255.255.0

 

vlans external enable

 

}

 

 

This would allow only destination address matching 10.10.10.0/24 would be allowed from the external VLAN. You can also use Packet Filter or iRule (based on source of the management workstation) to further secure it.