Forum Discussion

DarkSideOfTheQ_'s avatar
DarkSideOfTheQ_
Icon for Nimbostratus rankNimbostratus
May 27, 2009

LTM VIP and NAT

Hello All,

 

 

Today my LTM's (in HA setup) sit in a DMZ (FW1<->LTM1 / FW2<->LTM2) and the VIPs are using live IP's. We are changing ISP's and thus getting a new IP range. I am wondering about changing our VIPs to private IPs and doing NAT at the Firewall for them. I hearby open the floor for comments/suggestions.

 

 

TIA,

 

DarkSide

4 Replies

  • Hi DarkSide,

     

     

    LTM won't care, as long as all the routing works you should be good to go.

     

     

    Denny
  • Thanks for the reply Denny.

     

     

    I wasn't sure if not using live IP's will impact the LTM in a way such as not passing client IP, etc...basically any caveats to NAT'ing at the firewall vs using live IP's for our VIPs.

     

     

    -DarkSide
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Posted By DarkSideOfTheQ on 05/27/2009 9:12 AM

     

    Thanks for the reply Denny.

     

    I wasn't sure if not using live IP's will impact the LTM in a way such as not passing client IP, etc...basically any caveats to NAT'ing at the firewall vs using live IP's for our VIPs.

     

    -DarkSide

     

     

     

    So long as you don't NAT the client IP you shouldn't run into any problems. If you do NAT the client IP, you would only have problems if you tried to do srcIP persistence... And discovered you don't get any balancing because all your clients look like one...

     

     

    1. Don't NAT the client

     

    2. use cookie persistence (Where possible)

     

     

    And you should be fine.

     

     

  • Nope. Won't be NAT'ing the client IP, only the VIP and we already use cookie persistence, so sounds like I'll be fine NAT'ing the VIP's.

     

     

    I appreciate the input thus far.

     

     

    -DarkSide