Hi @Khuongnn77 ,
> Firstly , Make sure that you configure your web servers " 10.10.98./2" to use F5 interface self ip address " 10.10.98.9" as a Default Gateway as I see the web servers and Internal interface of F5 are in the same Vlan.
> then , Configure a Virtual server " IP forwarding " type , and put ( web servers subnet as source and DMZ subnet as a destination ) as the traffic sourced from web servers to DMZ should match the DMZ subnet on F5 , Look below you need to configure like this :
> I assume that you have configured your interfaces ips , Vlans as shown in your Figure.
> then , Add a specific Route on F5 it self from ( Network tab >>> Routes >> Click create ) , it should be like below snap shot :
> now , when traffic sourced from your web servers , it should arrive at your (" Core switch " in External Vlan ).
> I think there is a Layer 4 DMZ firewall after your " Core Switch " , so you will need to add a route on " Core switch " that ( traffic destinated to '192.168.1.1' assign next hop the interface of DMZ firewall ).
> Now , traffic is on DMZ firewall outside interface , you need to add a Policy on Firewall , this policy says
( Source network '10.10.98.0/24' destination network '192.168.1.0/24' and 'any' service port or specify your service port. )
> now your traffic should be reached to " 192.168.1.0/24" but do not forget to configure the Back routes ,
you need to configure these back routes :
On DMZ Firewall : ( traffic destinated to '10.10.98.0/24' assign next hop the interface of Core switch that connected with DMZ firewall ).
On Core Switch : ( traffic destinated to '10.10.98.0/24' assign next hop the interface of F5 external self ip " 172.16.1.2" ).
> now , The returned traffic is on F5 and F5 will deliver it back to internal web servers
I hope this help you
Thank u for reply soon.
I resent again diagram and config. please check help me. i only want to internal can access the domain.
Here is the route from switch: ip route 10.10.98.0 255.255.255.0 10.10.99.10
Here is the route from F5:
Here is ip
Hi @Khuongnn77 ,
Sorry for being late to reply to your second inquiry , but I wasn't available to do it , and definitely I will check it when becoming available.
- Let me know now , Have you finished your task or still need support ?
Also , Did the first inquiry worked with you or you faced issues ?