Forum Discussion
meena_60183
Nimbostratus
NimbostratusAdding a LTM in DMZ
Hi All,
I have a DMZ connected to our firewall and it has the subnet x.x.224.0/22. This DMZ already has SMTP servers, external DNS servers, some web servers etc. Now, they want to add a BigIP so that this can be used as a reverse proxy with ASM. The purpose of this BigIP is to allow traffic to some of the servers reside in our internal network. These servers cannot reside in the DMZ due to some complicated reasons.
I do not have any additional interface on the firewall to add the BigIP. I have to use the existing DMZ interface. I am trying to figure out how I can add the BigIP to x.x.224.0/22 without affecting any of the existing servers.
Any ideas?
Meena
3 Replies
siddiqu_84786Hi,
You can configure in single-arm mode. Refer F5 Implementation guide. One-IP Network topology.
Siddiqu.T
meena_60183Thank you and that's what I thought too.
I have one more question regarding this. If I have the Big-IP VIP and the server on the same subnet, do I need to enable layer 2 forwarding?
The server's default gateway is set to the firewall now but I may have to change it to be the firewall for the return traffic from the server not to bypass the BigIP.
Does this sound correct?
Meena- dennypayne
Employee
No, you just need to SNAT. You can either use SNAT Automap to use the BIG-IP's self-ip or turn up a new IP in a SNAT Pool and use that (under Advanced on the virtual server - or you can just SNAT globally). L2 Forwarding would allow you to preserve client IP in the server logs, but it adds a whole host of other complications, spanning tree in particular.
Denny
