Forum Discussion

Heath_35665's avatar
Heath_35665
Icon for Nimbostratus rankNimbostratus
Aug 20, 2008

Load Balancing Design Question

We have the following setup

 

 

 

internet --> Cisco PIX firewall --> F5 LTM (sits in DMZ segment) --> Web Servers (sits in private DMZ segment)

 

 

The F5s are set up with an external VLAN (facing PIX) and internal VLAN (facing web servers). VLANs are separate layer 3 subnets. In a setup like this, since the F5s don't route, how do you provide access to other networks that are on other legs of the PIX firewall. Do you have to something like the following

 

 

internet --> Cisco PIX firewall --> F5 LTM --> Web Servers --> Router to other networks

 

 

- Heath

4 Replies

  • The LTM does route, actually. You need to setup ip forwarding virtuals to accomplish this. You can do it globally by entering a forwarding virtual with 0.0.0.0/0 applied to all vlans, which will allow all packets to route (assuming the necessary routes are in the routing table). If you want to be more granular, you can apply 0.0.0.0/0 to your private DMZ network only and match it with a default route to your PIX, then setup network-specific forwarding virtuals to your internal networks and apply these where appropriate (the forwarding virtuals should be applied to the vlans where the traffic is coming from, not where it is going) Post back if you have any questions.
  • Basically, i would need to create a new virtual server of type "network" that sets the destination to any networks that i need to reach and set ports to *. I would use Type = IP and Protocols = ALL. You mention "assuming the necessary routes are in the routing table". Can you expand on this? Also, would i need to set the default gateway of my web servers to be a self IP on the respective VLAN? How do the web servers know where to forward traffic?

     

  • Yep, that's it, Denny, thanks. I also let the firewalls do the security stuff, but I do minimize the routing possibilities to localize the tools available for mischief in the event of a breach.
  • Very helpful...thanks to both of you. We are going to work on this configuration on Thursday night. I think we have a pretty good handle on how to make it work now.