Forum Discussion

William_Housen_'s avatar
Icon for Nimbostratus rankNimbostratus
Nov 16, 2011

Basic design question using firewalls and LTMs

Hello all



For the longest time the environment I inherited had their web facing servers and so on sitting on the same internal trusted subnets as everything else. What I would like to do is setup a DMZ environment using the ASA as the gateway to reach the web environment. My original proposal is this. Setup a subinterface on the ASA firewall and create a transport VLAN (public address space) in order for outside to reach the VIPs. The backend servers will have private address spacing and sit on VLANs with their default gateways as subinterfaces on the ASA. So basically this is all trunked and any access to and from anywhere this web must cross the ASA. My immediate concern I guess is that return traffic from OUtside -> ASA -> F5 VIP -> Backend Server would now skip the F5 and hit the ASA directly since that is their default gateway. Currently they use the F5 as their default. However this prevents me from locking down access between the different vlans hence the reason to change default gateway to ASA. Has anyone done a DMZ design like this and recommend whats the best way to implement?






2 Replies

  • nathe's avatar
    Icon for Cirrocumulus rankCirrocumulus



    f5 have catered for this scenario with SNAT. See definition from PDF guide below. Basically it means the source IP is changed to be the f5 so return traffic always goes via the f5.



    "A secure network address translation (SNAT) is a BIG-IP® Local Traffic


    ManagerTM feature that translates the source IP address within a connection


    to a BIG-IP system IP address that you define. The destination node then


    uses that new source address as its destination address when responding to


    the request.


    For inbound connections, that is, connections initiated by a client node,


    SNATs ensure that server nodes always send responses back through the


    BIG-IP system, when the server’s default route would not normally do so.


    Because a SNAT causes the server to send the response back through the


    BIG-IP system, the client sees that the response came from the address to


    which the client sent the request, and consequently accepts the response."



    Hope this helps.






  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus
    Your design is fine. You can force the traffic BETWEEN VLAN's to pass via the ASA by using virtual servers to forward the traffic.



    You setup 1x default VS on port 0 (Everything) for all protocols that is enabled on all the DMZ's. Usually I create that as a normal VS and the pool has the ASA IP address as the pool member.



    You then setup 1x VS for EACH DMZ that's enabled on the transport (The VLAN between the F5 and the ASA) VLAN only. They're network with address/mask to match the DMZ's. On port 0, all protocols.



    It's usually a good idea to have them all fastL4 with loose-initiation and disable the RST on timeout.



    Your service virtual servers are then created as normal and they ALSO listen ONLY on the transport VLAN.



    So. When a server on a DMZ wants to communicate with another DMZ, the packets hit the default VS, and are forwarded to the ASA. The ASA processes the packet, decides deny (drop) or forward. Forwarded packets are sent to the next hop (The F5) where they match the VS for the DMZ, and are then forwarded across the F5 to the DMZ.



    When DMZ servers want to communicate with service VS's, that follows the same path. if you have VS's that don't require fire walling from the DMZ's, you can simply enable them on extra VLAN's.



    Simple. No SNAT required.