DMZ design/configuration problem

Question

Hello. I have a design/configuration problem with mail servers in a DMZ, using LTMs for load balancing SMTP/HTTP connections. For example: 
&nbsp;  
&nbsp; 1. There's a network, 192.168.0.0/24 that's terminated on a firewall with an address 192.168.0.1 (being the default gateway for all devices in that network). 
&nbsp; 2. I have two SMTP servers and a pair of LTMs (whatever addresses, for now it doesn't really matter). 
&nbsp; 3. SMTP connections from the internet are going to the Virtual Server on the LTM pair and then go to the SMTP servers without being SNATed. 
&nbsp; 4. SMTP servers need to download updates, but can't use a proxy server for it. 
&nbsp;  
&nbsp; And the question is, how to manage all of this with my LTM pair? According to point 3 I need to have a default route on the SMTP servers for the LTM (Floating address? VS address?), because the firewall will not pass the traffic (the connection was made to the VS and that's what the firewall would like to see). But according to point 4 I need to pass the traffic to the internet somehow... So, is there a way to make LTMs work as a simple router for this HTTP traffic, keeping in mind the default gateway address, that has to be set for something "on" the LTMs for the point 3 to work? Or maybe some other way?

jrahm · Answer

This drawing is typical for a DMZ where the DMZ servers need outbound access and are not just responding to requests.  The firewalls will need to be configured to permit the traffic sourced in the DMZ, and not all DMZ policy supports this, so if you are not responsible for the security devices as well, the discussion will need to take place. 
&nbsp;  
&nbsp;  
&nbsp;  &nbsp;

micha__iwaszko_ · Answer

I have an another DMZ, that looks very similar to that on the drawing and it's working, but in this one, I don't have two networks and the LTMs have their interfaces in the same network as everything else. And I still want this to work :-)

jrahm · Answer

ah, so smtp servers are in same network as firewall and LTM "outside" interfaces?  Well, you're going to have to snat in this case, unless you want to do npath routing.  Details: 
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_sol_guide_943/sol_npath.html1061202 Click here

micha__iwaszko_ · Answer

It's not exactly what I would like to achieve, because of the firewall that terminates this network. Therefore the return packet of the SMTP connection cannot bypass the LTM, but at the same time, the packet originating from the SMTP servers has to omit the LTM SNAT/LB processes and simply be routed on a L3 basis to the LTMs default gateway. Is that possible?  
&nbsp;  
&nbsp; PS. The only problem here is to make the LTM to accept and route the HTTP packet from the SMTP server without any VSes etc.

jrahm · Answer

The LTM is a default deny device, you must have a virtual server to forward traffic, even if the routing is present in the routing table.  If you want the LTM to route the traffic originated from the smtp servers, you need to create a 0.0.0.0/0 network forwarding vip unless you can specify the outbound destinations for updates.

Forum Discussion

DMZ design/configuration problem

7 Replies

Recent Discussions

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

MAC address not showing up in LLDP packet

F5Access | MacOS Sonoma

Active- Active HA setup

Related Content

Source_Addr Persistence Problems

Communication between DMZ & Internal devices

Problem about Export imformation to Excel

C3D first request problem

If there is no firewall, the risk of problems