For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Glasgow_1's avatar
David_Glasgow_1
Icon for Nimbostratus rankNimbostratus
Nov 06, 2013

Default Route for Network Access

Hi All

 

We have an interface of our F5 sitting in the DMZ, and another interface on our corporate. From a remote device we would like to tunnel all traffic back (this is working). However the interface in the DMZ has a default route to the internet; and therefore traffic for the internet is understandably routed via this interface; however I would like to force all traffic coming back via Virtual Server/network access to have route via the Corporate LAN interface; and therefore outbound traffic to the internet would pass via our Corporate firewalls, and have the appropriate policies applied.

 

is this possible?

 

Cheers David

 

BIG-IP Access Policy Manager (APM)
security

7 Replies

  • dirtiPACKET_136's avatar
    dirtiPACKET_136
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2013

    "Vlan allow access list" would be the best method to route specific types of backend traffic back to its intended transit network on the uplink fw.

     

    Also... have multiple transits from the uplink fw to the LTM and route traffic in that method.

     

    • David_Glasgow_1's avatar
      David_Glasgow_1
      Icon for Nimbostratus rankNimbostratus
      Nov 06, 2013
      Thanks for your reply - can you provide a little more detail on where I find this feature (sorry, new to F5). Thanks David
  • fubarSUSHI's avatar
    fubarSUSHI
    Icon for Altocumulus rankAltocumulus
    Nov 06, 2013

    "Vlan allow access list" would be the best method to route specific types of backend traffic back to its intended transit network on the uplink fw.

     

    Also... have multiple transits from the uplink fw to the LTM and route traffic in that method.

     

    • David_Glasgow_1's avatar
      David_Glasgow_1
      Icon for Nimbostratus rankNimbostratus
      Nov 06, 2013
      Thanks for your reply - can you provide a little more detail on where I find this feature (sorry, new to F5). Thanks David
  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Nov 06, 2013

    I don't 100% understand (need more information) but if you are trying to forward traffic without using the TMM routing table entry, then you need to create a Standard virtual server with a network address (non 255.255.255.255 mask). This will turn it into a forwarding server over which you have control of the next hop. The next hop will be determined by the Pool you assign as a resource - this pool could (and often would) have only one pool member - the IP of the next-hop that will get you to the firewalls.

     

  • chion_15356's avatar
    chion_15356
    Icon for Nimbostratus rankNimbostratus
    Aug 07, 2014

    Hi,

     

    I was able to get this working using a Route Domain. After creating the route domain, i created a default route (e.g. 0.0.0.0%1 - or whatever id used for your Route Domain).

     

    Regards, Chris