Forum Discussion
dbrandel_11561
Nimbostratus
NimbostratusRouting outbound traffic to a different VIP
I have a question regarding the routing capabilities of the F5 LTM. We have a scenario in which we have webservers sitting behind a VIP in our DMZ needing to initiate an HTTP session to an RSA web services for validation. Normally, we’d punch a hole in our firewall for each destination IP address, but given that RSA uses a cloud service, we can’t be sure to ever have a complete list of destination IPs. It is also technologically unsound to have our firewall perform DNS resolution, so using a domain name as the destination address in a firewall policy is out.
We were thinking about configuring the F5 to look for requests destined to RSA’s web services and forward them to a different VIP on the same F5 that has open access to the Internet. A VIP that is separate from the one used by incoming connections from our clients. Would this feat be possible using the LTM? We are running 10.2.2.
Thanks
dbrandel
3 Replies
mikand_61525A hole is a hole is a hole... adding complexity to the hole doesnt make it go away :P
Cant your firewall setup some url-category instead which you bind to the group of webservers?
Like:
url-category: RSA_web_services:
*.rsa.com, rsa.com
(or whatever the urls are along with domains etc)
and then as security policy:
srcip: group_webservers
srcport: >1023
dstip: any
dstport: 80
appid: web-browsing
url: RSA_web_services (if no match then block)
action: allow and log
ArieAltostratus
Can you use certificates?- nitass
Employee
may we do reverse lookup on destination ip and drop it if it is not part of rsa.com?
RESOLV::lookup wiki
http://devcentral.f5.com/wiki/iRules.resolv__lookup.ashx
if it is, perform snat. so, source ip will be bigip. on firewall, only allow traffic from bigip ip.
is this a little bit better?
just my 2 cents.
