Forum Discussion

Khuongnn77's avatar
Khuongnn77
Icon for Nimbostratus rankNimbostratus
Nov 08, 2022

Routing and firewall policy

Hi Team. I'm new bie. Please help me guide. How to route from internal f5 to network dmz. And create firewall rule for this diagram

  • Hi Khuongnn77 , 

    > Firstly , Make sure that you configure your web servers " 10.10.98./2" to use F5 interface self ip address " 10.10.98.9" as a Default Gateway as I see the web servers and Internal interface of F5 are in the same Vlan. 

    > then , Configure a Virtual server " IP forwarding " type , and put ( web servers subnet as source and DMZ subnet as a destination ) as the traffic sourced from web servers to DMZ should match the DMZ subnet on F5 , Look below you need to configure like this : 

    > I assume that you have configured your interfaces ips , Vlans as shown in your Figure. 
    > then , Add a specific Route on F5 it self from ( Network tab >>> Routes >> Click create ) , it should be like below snap shot : 

    > now , when traffic sourced from your web servers , it should arrive at your (" Core switch " in External Vlan ). 

    > I think there is a Layer 4 DMZ firewall after your " Core Switch " , so you will need to add a route on " Core switch " that ( traffic destinated to '192.168.1.1' assign next hop the interface of DMZ firewall ). 

    > Now , traffic is on DMZ firewall outside interface , you need to add a Policy on Firewall , this policy says 
    (  Source network '10.10.98.0/24' destination network '192.168.1.0/24' and 'any' service port or specify your service port. ) 

    > now your traffic should be reached to " 192.168.1.0/24" but do not forget to configure the Back routes , 
    you need to configure these back routes : 


    On  DMZ Firewall :  ( traffic destinated to '10.10.98.0/24' assign next hop the interface of Core switch that connected with DMZ firewall ).

    On Core Switch :   ( traffic destinated to '10.10.98.0/24' assign next hop the interface of F5 external self ip " 172.16.1.2"  ).

    > now , The returned traffic is on F5 and F5 will deliver it back to internal web servers 

     

    I hope this help you 
    Regards. 
    Mohamed Kansoh

    • Khuongnn77's avatar
      Khuongnn77
      Icon for Nimbostratus rankNimbostratus

      Hi Team.

      Thank u for reply soon. 

      I resent again diagram and config. please check help me. i only want to internal can access the domain.

      Here is the route from switch:              ip route 10.10.98.0 255.255.255.0 10.10.99.10

      Here is the route from F5:

      Firewall rule

      Here is ip 

      • Hi Khuongnn77 , 

        Sorry for being late to reply to your second inquiry , but I wasn't available to do it , and definitely I will check it when becoming available. 

        - Let me know now , Have you finished your task or still need support ? 

        Also , Did the first inquiry worked with you or you faced issues ?

        Regards.