Forum Discussion
Steven_J__Willi
Nimbostratus
NimbostratusAccessing Pool members directly
Is there a way to prevent people to access pool members directly that sit behind the LTM? They must use the VIP?
Brad_Parker
Cirrus
CirrusYes, if you don't have a wildcard listener, the traffic will not route through the LTM without going through a VIP.
Steven_J__WilliWhere can I find info on this?- Brad_ParkerIts kinda just how LTM works. Its a default deny device and will not pass traffic unless there is a configured listener. A listener is a virtual address which usually has a configured virtual server. A self-IP itself will not forward packets without these listeners.
- Steven_J__WilliWell I have VIP created on the same subnet as the nodes. I assume its a network as the unit is one armed. and not inline so the servers dont sit behind the F5 per say.
- Brad_ParkerThen the F5 cannot prevent the traffic in one armed mode as it is not the gateway to the network.
- Steven_J__WilliI was afraid of that. So could I redesign this to make the F5 the default gateway for the servers rather than the ASA firewall in the DMZ like it is now? But then it would be inline correct? the switch would connect to the F5, then the F5 would connect to the ASA. So this would require the internal network and external network. Why would anyone want to do one arm deployment? seems limited?
