F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

zubair_syed_199's avatar
zubair_syed_199
Icon for Nimbostratus rankNimbostratus
Jul 03, 2015

Public IP as external VIP on LTM

Hi,   Is it a good practice to configure Puplic IP on external VIP on LTM or should we do a NAT on a network Firewall that translate Public into Private and then configure Private IP address on th...
application delivery
design
LTM
security
DFeike_160744's avatar
DFeike_160744
Icon for Nimbostratus rankNimbostratus
Jul 06, 2015

Hello Zubair,

 

i also can backup the statement that destination NAT on a firewall is NO security feature in any way. If you are however planning to use the GTM in the future and use autodiscovery of the LTM's Virtual Servers, than you should consider using public IPs for the VS. Just as a hint, remember to enable VS only on the VLANs you want them actually listen for traffic. If you don't limit it, then the VS would be accessible on all VLANs by default.

 

Also it is true that the BIG-IP itself is a deny-all device and will reject all traffic that doesn't match listener objects such as a Virtual Server or a SNAT (Pool).

 

Best regards David