I am working on an GTM deployment 11.5.3 and starting some of the testing currently. It appears the wide IP's are resolving with the private IP address of the virtual servers and not the public IP. I have a "one armed" GTM which sits behind a firewall in a DMZ and has no public IP addresses on it. The firewall rules allow only RFC1918 address to devices in the DMZ. THe LTM and GTM are in the same DMZ vlan behind a firewall. All addresses are natted by the firewall. I know this isn't the common 2 armed deployment, but i'm trying to retro fit this into an already built environment.
The pools created on the GTM, are referencing VIPS that have Private addresses. I saw some posts from years ago stating to use the translation box, or an irule but none of my firewall rules will allow anything to the DMZ on a public IP. Everything is natted. Basically what it boils down to is, I don't have any public addresses on the GTM, but I want it to hand out the public IP address of the VIPS to external requests.
What is the best way to do this?
So in this drawing, to keep IP addressing simple. The LTM and GTM sit in the same vlan in a DMZ. There isn't an inside or outside vlan in this environment. Its one armed to keep it simple for now. Again, these are private RFC1918 addresses in a DMZ.
PRIVATE IP'S VIP1=188.8.131.52 VIP2=184.108.40.206 VIP3=220.127.116.11 VIP4=18.104.22.168
On the firewall these are natted as follows. (22.214.171.124 are publics)
VIP1=126.96.36.199 ==> 188.8.131.52 VIP1=184.108.40.206 ==> 220.127.116.11 VIP1=18.104.22.168 ==> 22.214.171.124 VIP1=126.96.36.199 ==> 188.8.131.52
The firewall the rules are based on the private IP and not the public, so the rules are as follows
any ==> 184.108.40.206 /https any ==> 220.127.116.11 /https any ==> 18.104.22.168 /https any ==> 22.214.171.124 /https
So basically I want GTM to respond to the client with the public IP and not the private... What is the best way to accomplish this? Thanks in advance.
Figured it out myself. Solution is to have the following..
VIP1_Public=126.96.36.199 VIP1_Private 188.8.131.52/https
The wide IP points at the public VIP, the public vip has a dependency on the private VIP. I tested this. I disabled the VIP1 pool, the DNS flipped over to the other data center.
Thanks anyway everyone. I'm not sure if there is a better way, but this seems to work.