Forum Discussion
amiranti1982_54
Nimbostratus
NimbostratusI have a F5-LTM sandwiched between ASAs and a CheckPoint firewall... Need route help!
I am trying to set up a complicated system of firewalls stacked on one another inside of a DMZ.
I have configured a CheckPoint as my outside (outside to the DMZ) firewall facing the public. The inside interface is plugged directly into one of the Ethernet ports on the F5. Also on the F5, I have another interface (on the same VLAN as the CheckPoint) plugged into a Cisco switch.
From there I have two ASA 5520 devices plugged into the same switch and configured with DMZ VLAN IP addresses as their outside interface address. Their inside IP addresses are RFC 1918 and connect to a core 7606 router.
My main question is, how do I route the F5 to talk to the ASAs, which I would like to load balance behind the F5?
The CheckPoint communicates back and forth with the F5 and the Cisco Switch. The CheckPoint also communicates back and forth with the F5. The ASAs can both communicate with the Cisco switch, BUT the ASAs (both configured on the same VLAN) are unable to communicate with the F5. I have set the ASA device's gateway as the CheckPoint IP address as well as the F5 IP (separately) with no luck. I need routes back to the ASAs, but I am unclear on how to do that. There are a lot of options in creating routes.
I have tried to keep this as simple as possible, however. I am running into complications. The F5 has been set up with a VLAN 115, self IP and two untagged physical interfaces, virtual server for the VIP of the ASAs, a pool for both ASA devices for load balancing, and no definite routes for connectivity.
I have created a drawing of the network layout, but it will not upload to this page. I can send it to anyone that feels it would be helpful in assisting me.
12 Replies
- A diagram might be helpful as I am not sure I understand what is in what vlan. Are the ASA firewalls in the same vlan as the F5 and the checkpoint FW or is it a diffrent vlan? If it is different then I would think the F5 should be in this VLAN as well.
amiranti1982_54Good morning Steve. I have created a VLAN specifically for this set up. The F5 is on VLAN 115. Both physical interface (one going to the CheckPoint and one going to the Cisco switch) are untagged for VLAN 115.
The inside interface (LAN 2) of the CheckPoint is on VLAN 115, and the outside interfaces of the ASAs are on VLAN 115. The Cisco switch has no routes and is simply utilizing layer 2 VLAN connectivity to pass traffic back and forth.
Is there a way that I can send you the network drawing that I created?- Honestly if they are all in the same VLAN I am not sure I even need a network diagram. How is vlan 115 configured on the LTM? Are both interfaces listed as untagged in this vlan?
- amiranti1982_54Yes, both of the physical interafces (1.7 to the CheckPoint and 1.8 to the Cisco switch) are untagged for VLAN 115. When I tag them they no longer respond to ICMP. When untagged, they do.
- and you can ping from checkpoint and from the switch? If that is the case then I would suspect something is off on the ASA side.
- amiranti1982_54From the switch I can connect directly with the CheckPoint through the F5-LTM. I can connect directly to the F5-LTM. I can connect directly to the ASAs. I need a route from the F5-LTM back to the ASAs. The ASA information is leaving out of the outside interface, traversing the switch, getting to the F5 and there is no return route for information back to the ASAs.
I have made mutiple configuration and route changes to both the ASA and the F5-LTM, as I too believed the ASA was the root problem.
However, during my testing, I have connected the ASA directly to the F5, took the switch out of the equation, and still suffered the same issue. No matter how I tried to configure the routes on the F5-LTM, I was unable to get the ASA to communicate directly with the F5-LTM. - I am not sure I understand where routes come into play? All of these devices are on the same vlan so I would assume they are in the same IP Subnet, is this not correct?
- amiranti1982_54The problem is, the ASA is in routed mode (layer 3) and not transparent mode (layer 2). Although all of the devices in the configured DMZ are on the same subnet, they require routes to move traffic from one device to another. Especially between the ASA and the F5.
The ASA has to be in routed mode in order to seperate protected and unprotected networks. Our Core switch that sits behind the ASA is on a completely different VLAN and needs to be fenced off behind the DMZ.
The ASAs will be set up as a bank of ASAs that the F5-LTM load balances in a round-robin configuration.
Each of the ASAs are 5520s and cannot be configured like the 5505s in a transparent mode, and still accomplish the same goal. The ASAs are routers themselves. They are the last line of defence. before inbound traffic reaches our internal devices. The ASAs are configured for SSL VPN connectivity. Thus we need "inside" interface routes and "outside" interface (VLAN 115) routes.
The F5 in this scenario will act like a router as well, taking inbound packets from the CheckPoint, load balancing the packets, sending them to one of the ASAs in a bank of ASAs and then to the Core switch. Outbound traffic is coming from the Core switch, through one of the ASAs and and then to the F5 where it then routes the packets to the CheckPoint and then out to the public. - amiranti1982_54________
| |
| ASA |
|_______ |
/ 10.5.7.251/24
/
_______ ________ ____________ /
| | | | | |
| CP |--------------| F5 |-------------| Switch |
|_______| |_______| |____________|
10.5.7.252/24 10.5.7.253/24 10.5.7.254/24 \
\
\
_______
| |
| ASA |
|______ |
10.5.7.250/24 - Ok this makes sense. So the ASA boxes can ping 10.5.7.254 but not .253?
