LTM VE behind Sophos Firewall deployment - configuration/setup question
Apologies both for the long post and my ignorance. This is a different setup than what I'm used to dealing with and I'm trying to get some clarity.
I am standing up a new rack in a co-location facility. My ISP is providing blended IP space and has provided two different public IP address blocks: one for their frontside network (/29) and one for the backside network (/28).
The LTM will be used exclusively for load-balancing IIS web servers and SSL offloading.
*the addresses I'm using in my example aren't "real" addresses, but they are within the same range
My firewall is configured with 172.16.255.180 as the WAN IP, using 172.16.255.177 as the gateway; 172.16.255.160/28 is the backside network for the DMZ, 172.16.255.161 is the DMZ interface assignment; 10.1.00/16 is my LAN, 10.1.200.1 is the LAN interface assignment.
I do not have any firewall rules for incoming traffic yet; but I do have a DMZ to WAN rule to allow outbound traffic.
My LTV VE is running 13.1.5 and I have not yet started setup, but I will likely only have two interfaces/VLANS: internal and external. The internal interface/VLAN will be on the 10.1.0.0 network. All my web servers will be on that network.
At long last, the question: When configuring the EXTERNAL interface, should I use an address from the DMZ's public IP's (which means all my virtual servers hosting externally-accessible sites would have public IP's in that range) or use the firewall to NAT that traffic to a different network? Is there a better approach? What are the pros and cons?
when you use one-arm configurations you need to use SNAT on the BIgIP, you can use automap or a SNAT pool.
Without this, the requests coming from the Internet to the Virtual server and the servers will not go back through the BigIP.
If your servers in this case need to have the firewall as the default gateway, so traffic they initiate will not go through the BigIP. And use a SNAT to make any reply from the server go back through the BigIP. But you probably already have this if you say you can browse a web server.
You use BigIP as the default gateway when you have dual-arm (routed mode)