Creating VS for a network not directly connected

Question

Hi,&nbsp;
I have a network that has a DMZ (10.1.1.0/24) and an Internal (10.2.2.0/24) network directly connected to the F5 LTM.  The Internal network also has access to other networks (172.16.0.0/24) across a VPN tunnel.  I need to create a Virtual Server on the DMZ that allows traffic to specific servers that are on 172.16.0.0/24 network.&nbsp;
 &nbsp;
I may have my information wrong, but if I just create a Forwarding(IP) Virtual Server for 172.16.0.0/24:* on all ports and assign it to the DMZ vlan, will it listen for incoming traffic on the DMZ interface for the 172 network?  I think I read that if the F5 doesn't have a Self IP for that network, it won't ARP that network.  Coming back I have a default Forwarding (IP) Virtual Server allowing access from Internal to DMZ (0.0.0.0/0:*).  I also have routes in the F5 that point 172.16.0.0/24 traffic to the Internal network.&nbsp;
Either way I'm having issues with traffic going from the DMZ across the tunnel.  Any help is appreciated.&nbsp;
Thanks,&nbsp;
Mike&nbsp;

nitass · Answer

you have added a route for 172.16.0.0/24 subnet on firewall to send traffic to bigip's dmz interface, haven't you? 
&nbsp;  
&nbsp; have you run tcpdump on bigip? did you see any incoming packet to 172.16.0.0/24 subnet? 
&nbsp;  
&nbsp; e.g. 
&nbsp;  tcpdump -nni 0.0 net 172.16.0.0/24

thomas_schocka1 · Answer

Hi Mike, 
&nbsp;  
&nbsp;  
&nbsp; You need to check the following items: 
&nbsp; - does the F5 have a route to the 172.16.0.0/24 subnet? 
&nbsp; - does the F5 have a Forwarding (IP) type Virtual Server for this network? 
&nbsp; - is the Forwarding (IP) Virtual Server for this 172.16.0.0/24 network enabled on all VLAN's that will be using the F5 as a router for this network? 
&nbsp; - do the servers know they have to route packets for this network to the F5? (e.g. do they have the necessary routes?) 
&nbsp; - if it's not the servers directly, does the firewall or router know how to find the F5 on this network? 
&nbsp; - have you checked for any asymmetric routing between the servers in DMZ and those behind it? (e.g. packets go over the F5 but might return through the firewall because the destination server doesn't have a route back to the F5 directly) 
&nbsp;  
&nbsp; Kind regards, 
&nbsp;  
&nbsp; Thomas

mike_61640 · Answer

I went through and checked everything listed in your comments and they all seem to be in order.  I have static routes for these networks and a Forwarding (IP) setup for the 172.16.0.0/24.  I guess I just wanted to make sure that it would grab allow/grab this traffic if these networks were not directly connected.  I know that standard VS's don't and wanted to confirm that the Forwarding (IP) VS didn't act the same way.   
&nbsp;  
&nbsp; It still may be their application, I'm going to run more tcpdumps and see if I can find the problem. 
&nbsp;  
&nbsp; Thanks for the help, 
&nbsp; Mike

Forum Discussion

Creating VS for a network not directly connected

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

Create a DevCentral account

Run Advanced Containers like OPSWAT Content Scrubbing Directly On F5 Distributed Cloud Nodes

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Create F5 BIG-IP Next Instance on Proxmox Virtual Environment

upgrade directly from os version 14.1. to 17.1.0

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS