Forum Discussion

spmedge_85938's avatar
spmedge_85938
Icon for Nimbostratus rankNimbostratus
Jan 16, 2012

Setup help

I am setting on my LB and have my ASA in front of both my LB and web servers. I have my virtual server set as 10.0.2.97 255.255.255.224 and having a NAT rule on my ASA with the public IP linking the virtual server IP. For my web server it is 10.0.1.101 255.255.255.224.

Will I get access to my web server with this setup? what will I need for this to be done? Also should I put the gateway for the web servers as my LB self IP or the virtual server IP?

 

5 Replies

  • Are you trying to use an LTM virtual server to load balance your web server(s)? Or are you trying to configure admin access through LTM to the web servers?

     

     

    For load balancing, you should create a host virtual server (like 10.0.2.97 with no subnet) pointing to a pool containing your web server(s).

     

     

    For admin access, see this SOL:

     

     

    sol7229: Methods of gaining administrative access to nodes through the BIG-IP system

     

    http://support.f5.com/kb/en-us/solutions/public/7000/200/sol7229.html?sr=18746937

     

     

    As far as the pool members gateway, it depends. If you want LTM to act as a gateway for all traffic sourced from the pool members, then you should configure them with the LTM self IP on their VLAN as the gateway. One advantage of this is that you won't need to configure LTM to perform source address translation. So the pool members will see the true client IP.

     

     

    You'll need to configure LTM to pass traffic sourced from the pool members. The best practice for this is to generally configure a virtual server listening on the pool member VLAN which answers for 0.0.0.0/0.0.0.0 on any port. You can create one VS for TCP and another with UDP. If you have a pool of gateways you can use a FastL4 virtual server which points to a pool of the gateways. If you only have one gateway, you can use a forwarding IP virtual server which will use the TMM routing table to route the connections.

     

     

    If you don't want LTM to act as a gateway for the pool members, then you'll need to use source address translation. If you have more than ~65k connections to each pool member, you can create a pool of SNAT addresses and add that to the virtual server. Else, you can use SNAT automap on the virtual server.

     

     

    Aaron
  • Even if the web servers are on 10.0.1.0 255.255.255.224 the virtual server that is using 10.0.2.97 it will still work? my firewall only has the interface for the public interface and inside IP as 10.0.2.x
  • can you try something like this?

    snat automap is not needed if web server's default gateway is bigip's selfip.

    [root@ve1023:Active] config  b virtual bar list
    virtual bar {
       pool foo
       destination 10.0.2.97:80
       ip protocol 6
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve1023:Active] config  b pool foo list
    pool foo {
       members 10.0.1.101:80 {}
    }
    
  • Thanks much for all the help. My biggest question is, if the web server 10.0.1.101 255.255.255.224 and the self IP of the F5 is 10.0.2.111 255.255.255.224 which I NAT in my firewall to a public IP how will the firewall know how to get to the web server? Or will this be manage by the F5? Do I have to have both the F5 and web server on the same subnet?
  • will this be manage by the F5?yes. firewall has to do 1-to-1 nat between web server public ip and virtual server address e.g. 10.0.2.97.

     

     

    Do I have to have both the F5 and web server on the same subnet?no. that is fine if bigip can reach it e.g. routing. snat may be required if return packet from web server does not pass through bigip.