For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cisco_Crazy_110's avatar
Cisco_Crazy_110
Icon for Nimbostratus rankNimbostratus
Oct 04, 2012

GTM Translation doesnt work with Generic Host

GTM version 10.2.3. Not VE.

 

We have a requirement to configure a Generic Host as it is not behind any LB. We need the DNS to resolve to the Public address. The GTM, the real server is residing in DMZ and same subnet as the GTM self IP. We are using private IPs in the DMZ. Natting happens on the firewall.

 

I add the Generic host to GTM with the following settings.

 

Address: Public IP (say y.y.y.y)

 

Translation: Private IP(say x.x.x.x)

 

 

Under Virtual Servers

 

Address: Public IP (say y.y.y.y)

 

Service Port : 444

 

Translation: Private IP(say x.x.x.x)

 

Translation Service Port : 444

 

 

Then I create a pool add the VS as a member and use tcp monitoring. the pool and the member shows down with the above settings.

 

 

However with the following settings the pool works but Wide IP resolves to the private IP rather than public:

 

Address: Private IP(say x.x.x.x)

 

Service Port : 444

 

Translation:Public IP (say y.y.y.y)

 

Translation Service Port : 444

 

But translation works fine on the servers added through the LTMs.

 

 

Any help much appreciated.

 

 

Regards

 

 

 

 

 

 

 

config
design

3 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oct 05, 2012
    I gave up on the translations in GTM. Mainly because it disabled auto discovery of LTM VS's.

     

     

    I have a quick iRule that does a lookup from several sources against DG's. One to determine which'list' to translate against given the requesting IP (This allows for multiple translations, depending on where the 'client' is in the network) and then a lookup for the specific translation list to decide which IP to actually give back in the resolution.

     

     

    Although it's for GTM responses, it's actually implemented as an LTM iRule on the system VS created by the GTM listener. You can grab it from the codeshare. It's at https://devcentral.f5.com/wiki/iRules.GTM-Translation.ashx

     

     

    H
  • Cisco_Crazy_110's avatar
    Cisco_Crazy_110
    Icon for Nimbostratus rankNimbostratus
    Oct 07, 2012

    Thanks Hamish. I actually tried the following irule as it exactly met my requirements and is working fine. Let me know if there are any issues with this:

     

    when LB_SELECTED {

     

    if { [DNS::rrname] eq "WIDE-IP.xx.com" } {

     

    if { [LB::server addr] equals "10.X.X.X" } {

     

    host 90.Y.Y.Y

     

    } elseif { [LB::server addr] equals "10.Y.Y.Y" } {

     

    host 92.Y.Y.Y

     

    }

     

    }

     

    }

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oct 08, 2012

    I'm not sure your iRUle actually does anything... You're checking for the wide IP OK... But then you're testing LD::server... WHich should return a TCL LIST of Pool, nodeaddr and port for the currently selected server. Or if no server selected, the poolname only...

     

     

    When attached to a GTM VS, I'm not sure what you'll get. But I don't believe you're going to translate the IP address returned to the client... (Unless v10 does something really different from v11 and the docs on devcentral)

     

     

    H