Forum Discussion
Jon_46044
Nimbostratus
NimbostratusProbably a fairly simplistic network route, but I'm confusing myself, so...
Just had some LTMs intalled in Active Passive setup. Got a test site setup using public IPs and SNAT. We'd like to change to private IP addresses, and use the LTMs to balance/access the site.
Cu...
What you are trying to do is to route through, as you said. LTM is a default-deny device like a firewall, and you need to configure what is known as "Forwarding Virtual Server". For example, in order to allow outbound access from the 10.10.10.29, you would need to configure 0.0.0.0 forwarding virtual server on port 0 enabled on the 10.10.10 VLAN, which will allow traffic to ANY destination using ANY destination port from hosts on that VLAN.
virtual route_thru {
ip forward
destination any:any
mask none
vlans internal enable
}
If you were to enable this on "All VLANS", which is the default, then any host on anywhere with route using the LTM as gateway will be able to route through. This may not be a good security practice, so enabling on a specific VLAN where traffic will be originated from is what I'd recommend.
In order to pass traffic from your management station to the server, you will need something similar. Since one can consider the 72.X.X network to be "unsecured", you will want to lock it down. I suggest creating a forwarding virtual server as above:
virtual route_72_thru {
ip forward
destination 10.10.10.0:any
mask 255.255.255.0
vlans external enable
}
This would allow only destination address matching 10.10.10.0/24 would be allowed from the external VLAN. You can also use Packet Filter or iRule (based on source of the management workstation) to further secure it.
