Forum Discussion

Jason_L_40779's avatar
Jason_L_40779
Icon for Nimbostratus rankNimbostratus
Feb 05, 2016

GTM external DNS Reply with Public IP

Hi All,

 

I am working on an GTM deployment 11.5.3 and starting some of the testing currently. It appears the wide IP's are resolving with the private IP address of the virtual servers and not the public IP. I have a "one armed" GTM which sits behind a firewall in a DMZ and has no public IP addresses on it. The firewall rules allow only RFC1918 address to devices in the DMZ. THe LTM and GTM are in the same DMZ vlan behind a firewall. All addresses are natted by the firewall. I know this isn't the common 2 armed deployment, but i'm trying to retro fit this into an already built environment.

 

The pools created on the GTM, are referencing VIPS that have Private addresses. I saw some posts from years ago stating to use the translation box, or an irule but none of my firewall rules will allow anything to the DMZ on a public IP. Everything is natted. Basically what it boils down to is, I don't have any public addresses on the GTM, but I want it to hand out the public IP address of the VIPS to external requests.

 

What is the best way to do this?

 

So in this drawing, to keep IP addressing simple. The LTM and GTM sit in the same vlan in a DMZ. There isn't an inside or outside vlan in this environment. Its one armed to keep it simple for now. Again, these are private RFC1918 addresses in a DMZ.

 

PRIVATE IP'S VIP1=2.2.2.1 VIP2=2.2.2.2 VIP3=2.2.2.3 VIP4=2.2.2.4

 

On the firewall these are natted as follows. (1.1.1.0 are publics)

 

VIP1=1.1.1.2 ==> 2.2.2.1 VIP1=1.1.1.3 ==> 2.2.2.2 VIP1=1.1.1.4 ==> 2.2.2.3 VIP1=1.1.1.5 ==> 2.2.2.4

 

The firewall the rules are based on the private IP and not the public, so the rules are as follows

 

any ==> 2.2.2.1 /https any ==> 2.2.2.2 /https any ==> 2.2.2.3 /https any ==> 2.2.2.4 /https

 

So basically I want GTM to respond to the client with the public IP and not the private... What is the best way to accomplish this? Thanks in advance.

 

3 Replies