Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Routing and firewall policy


Hi Team. I'm new bie. Please help me guide. How to route from internal f5 to network dmz. And create firewall rule for this diagram



Hi @Khuongnn77 , 

> Firstly , Make sure that you configure your web servers " 10.10.98./2" to use F5 interface self ip address "" as a Default Gateway as I see the web servers and Internal interface of F5 are in the same Vlan. 

> then , Configure a Virtual server " IP forwarding " type , and put ( web servers subnet as source and DMZ subnet as a destination ) as the traffic sourced from web servers to DMZ should match the DMZ subnet on F5 , Look below you need to configure like this : 
Forwarding IP.PNG

> I assume that you have configured your interfaces ips , Vlans as shown in your Figure. 
> then , Add a specific Route on F5 it self from ( Network tab >>> Routes >> Click create ) , it should be like below snap shot : 

F5 Route.PNG> now , when traffic sourced from your web servers , it should arrive at your (" Core switch " in External Vlan ). 

> I think there is a Layer 4 DMZ firewall after your " Core Switch " , so you will need to add a route on " Core switch " that ( traffic destinated to '' assign next hop the interface of DMZ firewall ). 

> Now , traffic is on DMZ firewall outside interface , you need to add a Policy on Firewall , this policy says 
(  Source network '' destination network '' and 'any' service port or specify your service port. ) 

> now your traffic should be reached to "" but do not forget to configure the Back routes , 
you need to configure these back routes : 

On  DMZ Firewall :  ( traffic destinated to '' assign next hop the interface of Core switch that connected with DMZ firewall ).

On Core Switch :   ( traffic destinated to '' assign next hop the interface of F5 external self ip ""  ).

> now , The returned traffic is on F5 and F5 will deliver it back to internal web servers 


I hope this help you 
Mohamed Kansoh

Mohamed Kansoh

Hi Team.

Thank u for reply soon. 

I resent again diagram and config. please check help me. i only want to internal can access the domain.


Here is the route from switch:              ip route

Here is the route from F5:


Firewall rule


Here is ip 


Thank your support. i can do that. 

Hi @Khuongnn77 , 

Sorry for being late to reply to your second inquiry , but I wasn't available to do it , and definitely I will check it when becoming available. 

- Let me know now , Have you finished your task or still need support ? 

Also , Did the first inquiry worked with you or you faced issues ?


Mohamed Kansoh

thank you i did this case

Well done,  good news.


Mohamed Kansoh


Hi Team.

Today i have an issue about can not access web interface and ssh. can you help me.