Forum Discussion

dbrandel_11561's avatar
dbrandel_11561
Icon for Nimbostratus rankNimbostratus
Jan 19, 2012

Routing outbound traffic to a different VIP

I have a question regarding the routing capabilities of the F5 LTM. We have a scenario in which we have webservers sitting behind a VIP in our DMZ needing to initiate an HTTP session to an RSA web services for validation. Normally, we’d punch a hole in our firewall for each destination IP address, but given that RSA uses a cloud service, we can’t be sure to ever have a complete list of destination IPs. It is also technologically unsound to have our firewall perform DNS resolution, so using a domain name as the destination address in a firewall policy is out.

 

 

We were thinking about configuring the F5 to look for requests destined to RSA’s web services and forward them to a different VIP on the same F5 that has open access to the Internet. A VIP that is separate from the one used by incoming connections from our clients. Would this feat be possible using the LTM? We are running 10.2.2.

 

 

 

Thanks

 

 

dbrandel

 

 

  • A hole is a hole is a hole... adding complexity to the hole doesnt make it go away :P

     

     

    Cant your firewall setup some url-category instead which you bind to the group of webservers?

     

     

    Like:

     

     

    url-category: RSA_web_services:

     

    *.rsa.com, rsa.com

     

     

    (or whatever the urls are along with domains etc)

     

     

    and then as security policy:

     

     

    srcip: group_webservers

     

    srcport: >1023

     

    dstip: any

     

    dstport: 80

     

    appid: web-browsing

     

    url: RSA_web_services (if no match then block)

     

    action: allow and log
  • may we do reverse lookup on destination ip and drop it if it is not part of rsa.com?

     

     

    RESOLV::lookup wiki

     

    http://devcentral.f5.com/wiki/iRules.resolv__lookup.ashx

     

     

    if it is, perform snat. so, source ip will be bigip. on firewall, only allow traffic from bigip ip.

     

     

    is this a little bit better?

     

     

    just my 2 cents.