Migrating Servers from One Armed to Routed Configuration

Question

BIG-IP 2000s with only ASM&nbsp;
I've got an HA pair of BIG-IP 2000s in our DMZ supporting several servers via a one armed configuration with SNAT enabled.  The servers bypass the BIG-IPs when sending email, causing the external firewall to be reported as the source address for outbound traffic.  This led to mail being dropped by certain external mail servers when reverse DNS lookups failed (Our external firewall is NATing our DMZ).&nbsp;
It seems the only solution is to make the BIG-IP the gateway for the affected servers, which means configuring an additional VLAN on the BIG-IPs and migrating the servers. &nbsp;
Is there an alternative?&nbsp;
Management access to the servers is a concern because they each have only one NIC.  One option is to configure server  NICs to trunk the DMZ and new VLAN, but I've read it's considered best practice to only support one network to a DMZ server.  If I implement the best practice solution, I'll have to create virtual server profiles permitting only management traffic sourced from our internal network.&nbsp;
Thoughts?&nbsp;

arpydays · Answer

Can you not have external DNS entries for the outbound NAT (or a mail specific outbound NAT) so the external mail servers can resolve the PTR/A records.&nbsp;
cheers&nbsp;

m_links_with_n_ · Answer

Great suggestion.  I think your idea would help our mail servers pass reverse lookup and forward confirmed reverse dns checks.  Are you aware of other checks I'm not listing?&nbsp;
To illustrate your idea, our mail server would be contacted by external clients at the following address (traversing the BIG-IP):
x.x.x.51 mail.site.com&nbsp;
To send mails, the server would use the following address (bypassing the BIG-IP):
x.x.x.61 mailsend.site.com&nbsp;

arpydays · Answer

I think it should work ok.&nbsp;
cheers&nbsp;

nova · Answer

Also, why not nat from the firewall to the correct public IP?  I'm sure your FW has the means to enforce a nat policy.&nbsp;
Mike&nbsp;

Forum Discussion

Migrating Servers from One Armed to Routed Configuration

4 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Export Virtual Server Configuration in CSV - tmsh cli script

uCS platform-migrate

Edge to Pulse: IP Geolocation Database Migration

Re: Welcome to the F5 BIG-IP Migration Assistant