Forum Discussion

meena_60183's avatar
meena_60183
Icon for Nimbostratus rankNimbostratus
Jan 28, 2009

Adding a LTM in DMZ

Hi All,

 

 

I have a DMZ connected to our firewall and it has the subnet x.x.224.0/22. This DMZ already has SMTP servers, external DNS servers, some web servers etc. Now, they want to add a BigIP so that this can be used as a reverse proxy with ASM. The purpose of this BigIP is to allow traffic to some of the servers reside in our internal network. These servers cannot reside in the DMZ due to some complicated reasons.

 

 

I do not have any additional interface on the firewall to add the BigIP. I have to use the existing DMZ interface. I am trying to figure out how I can add the BigIP to x.x.224.0/22 without affecting any of the existing servers.

 

 

Any ideas?

 

 

Meena

3 Replies

  • Hi,

     

     

    You can configure in single-arm mode. Refer F5 Implementation guide. One-IP Network topology.

     

     

    Siddiqu.T

     

     

  • Thank you and that's what I thought too.

     

     

    I have one more question regarding this. If I have the Big-IP VIP and the server on the same subnet, do I need to enable layer 2 forwarding?

     

     

    The server's default gateway is set to the firewall now but I may have to change it to be the firewall for the return traffic from the server not to bypass the BigIP.

     

     

    Does this sound correct?

     

     

    Meena
  • No, you just need to SNAT. You can either use SNAT Automap to use the BIG-IP's self-ip or turn up a new IP in a SNAT Pool and use that (under Advanced on the virtual server - or you can just SNAT globally). L2 Forwarding would allow you to preserve client IP in the server logs, but it adds a whole host of other complications, spanning tree in particular.

     

     

    Denny