Forum Discussion
NimbostratusMigrating Servers from One Armed to Routed Configuration
BIG-IP 2000s with only ASM
I've got an HA pair of BIG-IP 2000s in our DMZ supporting several servers via a one armed configuration with SNAT enabled. The servers bypass the BIG-IPs when sending email, causing the external firewall to be reported as the source address for outbound traffic. This led to mail being dropped by certain external mail servers when reverse DNS lookups failed (Our external firewall is NATing our DMZ).
It seems the only solution is to make the BIG-IP the gateway for the affected servers, which means configuring an additional VLAN on the BIG-IPs and migrating the servers.
Is there an alternative?
Management access to the servers is a concern because they each have only one NIC. One option is to configure server NICs to trunk the DMZ and new VLAN, but I've read it's considered best practice to only support one network to a DMZ server. If I implement the best practice solution, I'll have to create virtual server profiles permitting only management traffic sourced from our internal network.
Thoughts?
4 Replies
arpydaysCan you not have external DNS entries for the outbound NAT (or a mail specific outbound NAT) so the external mail servers can resolve the PTR/A records.
cheers
M_Links_with_N_Great suggestion. I think your idea would help our mail servers pass reverse lookup and forward confirmed reverse dns checks. Are you aware of other checks I'm not listing?
To illustrate your idea, our mail server would be contacted by external clients at the following address (traversing the BIG-IP): x.x.x.51 mail.site.com
To send mails, the server would use the following address (bypassing the BIG-IP): x.x.x.61 mailsend.site.com
- arpydays
I think it should work ok.
cheers
NovaCirrus
Also, why not nat from the firewall to the correct public IP? I'm sure your FW has the means to enforce a nat policy.
Mike
