Forum Discussion
William_Housen_
Nov 16, 2011Nimbostratus
Basic design question using firewalls and LTMs
Hello all For the longest time the environment I inherited had their web facing servers and so on sitting on the same internal trusted subnets as everything else. What I would like to do is ...
Hamish
Nov 16, 2011Cirrocumulus
Your design is fine. You can force the traffic BETWEEN VLAN's to pass via the ASA by using virtual servers to forward the traffic.
You setup 1x default VS on port 0 (Everything) for all protocols that is enabled on all the DMZ's. Usually I create that as a normal VS and the pool has the ASA IP address as the pool member.
You then setup 1x VS for EACH DMZ that's enabled on the transport (The VLAN between the F5 and the ASA) VLAN only. They're network with address/mask to match the DMZ's. On port 0, all protocols.
It's usually a good idea to have them all fastL4 with loose-initiation and disable the RST on timeout.
Your service virtual servers are then created as normal and they ALSO listen ONLY on the transport VLAN.
So. When a server on a DMZ wants to communicate with another DMZ, the packets hit the default VS, and are forwarded to the ASA. The ASA processes the packet, decides deny (drop) or forward. Forwarded packets are sent to the next hop (The F5) where they match the VS for the DMZ, and are then forwarded across the F5 to the DMZ.
When DMZ servers want to communicate with service VS's, that follows the same path. if you have VS's that don't require fire walling from the DMZ's, you can simply enable them on extra VLAN's.
Simple. No SNAT required.
H
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects