Forum Discussion

dbrandel_11561's avatar
Icon for Nimbostratus rankNimbostratus
Jan 19, 2012

Routing outbound traffic to a different VIP

I have a question regarding the routing capabilities of the F5 LTM. We have a scenario in which we have webservers sitting behind a VIP in our DMZ needing to initiate an HTTP session to an RSA web services for validation. Normally, we’d punch a hole in our firewall for each destination IP address, but given that RSA uses a cloud service, we can’t be sure to ever have a complete list of destination IPs. It is also technologically unsound to have our firewall perform DNS resolution, so using a domain name as the destination address in a firewall policy is out.



We were thinking about configuring the F5 to look for requests destined to RSA’s web services and forward them to a different VIP on the same F5 that has open access to the Internet. A VIP that is separate from the one used by incoming connections from our clients. Would this feat be possible using the LTM? We are running 10.2.2.










3 Replies

  • A hole is a hole is a hole... adding complexity to the hole doesnt make it go away :P



    Cant your firewall setup some url-category instead which you bind to the group of webservers?






    url-category: RSA_web_services:





    (or whatever the urls are along with domains etc)



    and then as security policy:



    srcip: group_webservers


    srcport: >1023


    dstip: any


    dstport: 80


    appid: web-browsing


    url: RSA_web_services (if no match then block)


    action: allow and log
  • may we do reverse lookup on destination ip and drop it if it is not part of



    RESOLV::lookup wiki




    if it is, perform snat. so, source ip will be bigip. on firewall, only allow traffic from bigip ip.



    is this a little bit better?



    just my 2 cents.