cancel
Showing results for 
Search instead for 
Did you mean: 

GTM external DNS Reply with Public IP

Jason_L_40779
Nimbostratus
Nimbostratus

Hi All,

 

I am working on an GTM deployment 11.5.3 and starting some of the testing currently. It appears the wide IP's are resolving with the private IP address of the virtual servers and not the public IP. I have a "one armed" GTM which sits behind a firewall in a DMZ and has no public IP addresses on it. The firewall rules allow only RFC1918 address to devices in the DMZ. THe LTM and GTM are in the same DMZ vlan behind a firewall. All addresses are natted by the firewall. I know this isn't the common 2 armed deployment, but i'm trying to retro fit this into an already built environment.

 

The pools created on the GTM, are referencing VIPS that have Private addresses. I saw some posts from years ago stating to use the translation box, or an irule but none of my firewall rules will allow anything to the DMZ on a public IP. Everything is natted. Basically what it boils down to is, I don't have any public addresses on the GTM, but I want it to hand out the public IP address of the VIPS to external requests.

 

0691T000006ApZsQAK.jpg What is the best way to do this?

 

So in this drawing, to keep IP addressing simple. The LTM and GTM sit in the same vlan in a DMZ. There isn't an inside or outside vlan in this environment. Its one armed to keep it simple for now. Again, these are private RFC1918 addresses in a DMZ.

 

PRIVATE IP'S VIP1=2.2.2.1 VIP2=2.2.2.2 VIP3=2.2.2.3 VIP4=2.2.2.4

 

On the firewall these are natted as follows. (1.1.1.0 are publics)

 

VIP1=1.1.1.2 ==> 2.2.2.1 VIP1=1.1.1.3 ==> 2.2.2.2 VIP1=1.1.1.4 ==> 2.2.2.3 VIP1=1.1.1.5 ==> 2.2.2.4

 

The firewall the rules are based on the private IP and not the public, so the rules are as follows

 

any ==> 2.2.2.1 /https any ==> 2.2.2.2 /https any ==> 2.2.2.3 /https any ==> 2.2.2.4 /https

 

So basically I want GTM to respond to the client with the public IP and not the private... What is the best way to accomplish this? Thanks in advance.

 

3 REPLIES 3

Jason_L_40779
Nimbostratus
Nimbostratus

Figured it out myself. Solution is to have the following..

 

VIP1_Public=1.1.1.2 VIP1_Private 1.1.1.2/https

 

The wide IP points at the public VIP, the public vip has a dependency on the private VIP. I tested this. I disabled the VIP1 pool, the DNS flipped over to the other data center.

 

Thanks anyway everyone. I'm not sure if there is a better way, but this seems to work.

 

my bad. I meant private 2.2.2.1.

Mustaki_64997
Nimbostratus
Nimbostratus