Virtual F5 LTM configuration in DMZ and cannot ping DMZ/Default gateway.

Question

My F5 is in DMZ, and I have test server put in the DMZ.  There are no firewalls before and after the test server.   I logged on to the test server and hit the IP address. I cannot get this resolved. 
My environment 
Public IP  13.14.xxx.xxx                           ---Natter Proxy address    10.yyy.yyy.zzz    DMZ   Virtual F5 and two nodes.  No Firewall
1.I created a VIP with 10.yyy.yyy.zzz.  I cannot get traffic into the F5 firewall. 
2.I logged into the console of the F5 putty and tried to ping that address all looks good. 
3.For the console, I tried to ping the DMZ address, cannot resolve. 
4.I cannot get the VIP working.
From F5 putty console.
1.I can ping the internal nodes. 
2.I can ping the VIP.  I can ping test server in the DMZ.
3.I cannot ping DMZ itself.   Cannot ping the default gateway.
https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7595.html
A test form test server:
•Cannot ping the VIP.&nbsp;
•But can ping the DMZ, Default gateway, BIG IP management address.
•&nbsp;
I have configured even this: Not sure this helped. 
You can configure a wildcard forwarding virtual server that listens for all IP protocols, all addresses and all ports on all VLANs. &nbsp;
In the LTM GUI, browse to Virtual Servers &amp; click "Create". Configure the following properties:
Destination:Network
Address=0.0.0.0
Mask=0.0.0.0
Service port:0
Type:Forwarding (IP)
Protocol:*All Protocols
VLAN Traffic:All VLANs
Any help or pointer is appreciated.&nbsp;

keesvandenbos · Answer

When connected to the console of the firewall, can you ping one of the test servers or the VIP?
It looks like the interface of your firewall is in the wrong vlan.&nbsp;

sp_266134 · Answer

From the test server 
   I cannot ping the VIP.  Destination not reachable. 
From the F5 console 
    I can ping the test server. 
    I cannot ping DMZ or even default gateway. &nbsp;
Can I add additional virtual interfaces . Should I create more Vlan? Or Trunks.... let me know your thoughts. &nbsp;

keesvandenbos · Answer

Your ping test from the BIG-IP console is done from the self-ip of the BIG-IP. Are you able to ping the self-ip of the BIG-IP from your test server?&nbsp;
And what are the entries in the arp table on the testserver, firewall and BIG-IP?&nbsp;

sp_266134 · Answer

I cannot ping the external self IP, internal self IP can be pinged. 
Cannot ping the DMZ. 
Internal interface can be pinged and internal vips are working fine. External interface has as issues. &nbsp;

sp_266134 · Answer

ARP table in F5 
Static is empty. Dynamic list has entries for all internal traffic and they are resolved. 
Should i create an entry to ARP table static for the external network interface.&nbsp;

Forum Discussion

Virtual F5 LTM configuration in DMZ and cannot ping DMZ/Default gateway.

7 Replies

Recent Discussions

(How) can I get two client certificates in one APM session?

Using okta as SSO to login F5 GUI

snmp automatic stop mail send

BIG-IP DNS iRule issue with static variable

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Related Content

API Gateway Mapping - Gartner - F5

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Whats new in NGINX Gateway Fabric 1.2?

Configuring NGINX API micro-gateway to support Open Banking's Advanced FAPI security profile

Integrating F5 BIG-IP with Kubernetes SIG Gateway API