Forum Discussion
Routing and firewall policy
Hi Team. I'm new bie. Please help me guide. How to route from internal f5 to network dmz. And create firewall rule for this diagram
Hi Khuongnn77 ,
> Firstly , Make sure that you configure your web servers " 10.10.98./2" to use F5 interface self ip address " 10.10.98.9" as a Default Gateway as I see the web servers and Internal interface of F5 are in the same Vlan.
> then , Configure a Virtual server " IP forwarding " type , and put ( web servers subnet as source and DMZ subnet as a destination ) as the traffic sourced from web servers to DMZ should match the DMZ subnet on F5 , Look below you need to configure like this :> I assume that you have configured your interfaces ips , Vlans as shown in your Figure.
> then , Add a specific Route on F5 it self from ( Network tab >>> Routes >> Click create ) , it should be like below snap shot :> now , when traffic sourced from your web servers , it should arrive at your (" Core switch " in External Vlan ).
> I think there is a Layer 4 DMZ firewall after your " Core Switch " , so you will need to add a route on " Core switch " that ( traffic destinated to '192.168.1.1' assign next hop the interface of DMZ firewall ).
> Now , traffic is on DMZ firewall outside interface , you need to add a Policy on Firewall , this policy says
( Source network '10.10.98.0/24' destination network '192.168.1.0/24' and 'any' service port or specify your service port. )> now your traffic should be reached to " 192.168.1.0/24" but do not forget to configure the Back routes ,
you need to configure these back routes :
On DMZ Firewall : ( traffic destinated to '10.10.98.0/24' assign next hop the interface of Core switch that connected with DMZ firewall ).On Core Switch : ( traffic destinated to '10.10.98.0/24' assign next hop the interface of F5 external self ip " 172.16.1.2" ).
> now , The returned traffic is on F5 and F5 will deliver it back to internal web servers
I hope this help you
Regards.
Mohamed Kansoh- Khuongnn77Nimbostratus
Hi Team.
Thank u for reply soon.
I resent again diagram and config. please check help me. i only want to internal can access the domain.
Here is the route from switch: ip route 10.10.98.0 255.255.255.0 10.10.99.10
Here is the route from F5:
Firewall rule
Here is ip
- Khuongnn77Nimbostratus
Thank your support. i can do that.
Hi Khuongnn77 ,
Sorry for being late to reply to your second inquiry , but I wasn't available to do it , and definitely I will check it when becoming available.
- Let me know now , Have you finished your task or still need support ?
Also , Did the first inquiry worked with you or you faced issues ?
Regards.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com