Forum Discussion
NimbostratusAccess to same subnet than BIIG IP from SSL VPN
Dear,
I've a question about a basic design for SSL VPN
We've a remote Range (SSL VPN) 192.168.250.0/24
We have a BIGIP located in DMZ 172.16.1.0/24. In this DMZ I've multiple servers:
- FTP: 172.16.1.1
- HTTP: 172.16.1.2
All DMZ Server are configured with default route to our Firewall (172.16.1.254)
When connected in VPN I'm not able to reach the DMZ Servers. We are not using Automap or SNAT in SSLVPN profile to keep a trace of original IP (192.168.250.x).
- So for the moment the SSL VPN packet destinated to my FTP server is sent to the F5 (SSL Tunnel Source: 192.168.250.1 to 172.16.1.1)
- F5 knows the subnet 172.16.1.1 and send the packet directly to the FTP server
- FTP server response to range 192.168.250.x via the default route (Firewall)
- Packet is dropped because of asymetric routing
Even the issue is well understood I don't know how to get rid of it... I assume that the design is not correct and I should find another way to implement it
Could you please share any suggestion ?
Nicolas
13 Replies
What_Lies_Bene1Cirrostratus
Forgive me but where is the F5 involved?
- What is the Virtual Server IP address?
- Is the SSL VPN terminated on the F5?
Do you have a SNAT of some sorts turned on the Virtual server? If not, you'll need that without the F5 being your Default Gateway. Otherwise you will route around your F5 and break the connection..
- ndaems_145583
Hi,
@What Lies Beneath Yes of course F5 is the VPN Termination point... Virtual Server is 172.16.1.100 which is in the same subnet than the DMZ...
That's why I'm getting asymetric routing... First packet is sent directly (via the VPN to the F5) and then the answer is sent back from the server via the Firewall which doesn't have any opened session...
@iRuleYou Everything works fine with SNAT or Automap on the VS but in this case I'm not able to identify the orgininal IP (192.168.250.x)...
I also had a look to Route Domain but not able to find a correct solution
Thanks for your help
Nicolas
Original IP is saved on BIG-IP in logs. Also you may create iRule to manipulate with src IP (save in special file or similar) But if you wish using None for Snat, and your clients are from another subnet, then the backend servers will use the default GW for responses, and you have to configure default GW to redirect responses to BIG-IP, or use BIG-IP as GW (btw, you may use BIG-IP as firewall too with the AFM module).
David_StoutIf I'm understanding the above correctly you will need to add a static route to the servers to point the 192.168.250.0/24 range to the BIGIP instead of the default route.
- ndaems_145583
Hi,
Yes static route will solve my issue but it's not something that we want to implement... If we have to deploy more server into the DMZ it will become a nightmare to maintain...
Today I will try to setup a lab and add a new VLAN (10.1.1.x). I will create a new Route Domain and will associate it with the VPN feature... In this case I suppose that VPN will need to use the defaut route of the new domain. This route will point to the Firewalls... This will maybe solve my issue
I'll keep you posted
- What_Lies_Bene1
Assuming you are willing to entirely redesign and build the DMZ and F5 setup then sure, you can fix this. Your best bet would be to put the F5 'inline'; so have a /29 small subnet between the firewall and F5, route a /24 or similar for Virtuals from the Firewall to the F5 over it and use another /24 for the real servers. Let me know if you want me to expand on that.
- ndaems_145583
Hi,
Not sure I understand why we need to put it inline?
What will be the benefits inspite of using a dedicated DMZ for the F5 ?
Thanks for you help
- What_Lies_Bene1The benefits are no SNAT and full visibility of all traffic into and out of the DMZ. It's still just a DMZ but you have full control and visibility at L3 within it.
- David_Stout
Another way to solve this is to have the DMZ servers pointing to the firewall as normal as the default gateway but add a secondary IP to the firewall interface.
You then configure an IP Pool for the VPN users on the same network range as the secondary IP range. You also enable proxy arp on the Network Access policy so that the APM responds to ARP requests correctly and the firewall picks up the responses on the secondary IP range. What would happen is that the APM routes to the secondary IP on the firewall and then back out the interface to the DMZ Servers. The DMZ Servers would route to the original default gateway then back out the same interface to the IP Pool configured.
However you lose the original source IP which I believe you want to keep (although you can see which clients had what pool IP in the logs which is better than using SNAT). Welcome to the wonderful world of network engineering :) You will need to either implement the static routes, manage your design differently or take the option above as a compromise but would require a bit more looking up of client to pool IPs if there are any issues.
- ndaems_145583
Hi All,
Finally found a good setup !
Here is what I tested yesterday...
- Define a new DMZ Zone on the Firewall (172.16.10.0/24)
- Define a new Interface on the F5
- Define a new Route Domain on the F5 a place the newly created VLAN into the RD.
- Use stric isolation in the RD
- Add a new defaut route into the route domain to point the new interface on the Firewall
- In APM assign the Route Domain after authenticated
Everything works fine with Route Domain
Thanks for your help
- What_Lies_Bene1Interesting, glad it works.
Belanger__YvesAltostratus
Hi,
Do you use Proxy ARP or SNAT option?
Thanks, Yves
