Forum Discussion
amiranti1982_54
Dec 06, 2011Nimbostratus
The problem is, the ASA is in routed mode (layer 3) and not transparent mode (layer 2). Although all of the devices in the configured DMZ are on the same subnet, they require routes to move traffic from one device to another. Especially between the ASA and the F5.
The ASA has to be in routed mode in order to seperate protected and unprotected networks. Our Core switch that sits behind the ASA is on a completely different VLAN and needs to be fenced off behind the DMZ.
The ASAs will be set up as a bank of ASAs that the F5-LTM load balances in a round-robin configuration.
Each of the ASAs are 5520s and cannot be configured like the 5505s in a transparent mode, and still accomplish the same goal. The ASAs are routers themselves. They are the last line of defence. before inbound traffic reaches our internal devices. The ASAs are configured for SSL VPN connectivity. Thus we need "inside" interface routes and "outside" interface (VLAN 115) routes.
The F5 in this scenario will act like a router as well, taking inbound packets from the CheckPoint, load balancing the packets, sending them to one of the ASAs in a bank of ASAs and then to the Core switch. Outbound traffic is coming from the Core switch, through one of the ASAs and and then to the F5 where it then routes the packets to the CheckPoint and then out to the public.