VLANs and Firewalls and things

You'd typically find this design in place: ISP > Firewall > F5

 

 

From an IP perspective: ISP:Firewall would be one subnet, Firewall:F5 would be another subnet and you'd then have another subnet for the 'inside' of the F5. They shouldn't be on the same subnet ideally.

 

 

Of course, this depends on how your ISP does it's addressing and how you are terminating the ISPs lines/equipment etc.

OK...thanks so very much. Can I assume that the same rules apply for a dual-homed ISP situation. We are doing failover with the F5 in HA active/standby.

I would say so yes, presumably you deal with the link redundancy etc. forward of the firewall. Of course, you could always use the F5 to provide the firewall functions too and save some money.

I've been talknig to management about elementing the FW's and putting the F5's on the edge for access, VPN, and firewall. We've had the ASA's for sometime now , just haven't put them into production. The fear is the VPN client and end-user experience. Everyone's familiar with Cisco AnyConnect.

 

Thanks so very much for all of your assistance on this. We originally had the FW and F5 and ISP converging in a unmanaged switch into vlans but I could never get the traffic to go through the F5. The subnets makes total sense now.

 

You're welcome.

I finally got the subnet between the firewall and the F5 "talking". Question, where do I NAT make it so that internet traffic goes through the F5 and then the FW? I did as you said..ISP>FW> F5.