Basic design question using firewalls and LTMs
For the longest time the environment I inherited had their web facing servers and so on sitting on the same internal trusted subnets as everything else. What I would like to do is setup a DMZ environment using the ASA as the gateway to reach the web environment. My original proposal is this. Setup a subinterface on the ASA firewall and create a transport VLAN (public address space) in order for outside to reach the VIPs. The backend servers will have private address spacing and sit on VLANs with their default gateways as subinterfaces on the ASA. So basically this is all trunked and any access to and from anywhere this web must cross the ASA. My immediate concern I guess is that return traffic from OUtside -> ASA -> F5 VIP -> Backend Server would now skip the F5 and hit the ASA directly since that is their default gateway. Currently they use the F5 as their default. However this prevents me from locking down access between the different vlans hence the reason to change default gateway to ASA. Has anyone done a DMZ design like this and recommend whats the best way to implement?