ndaems_145583
Jun 03, 2014Nimbostratus
Access to same subnet than BIIG IP from SSL VPN
Dear,
I've a question about a basic design for SSL VPN
We've a remote Range (SSL VPN) 192.168.250.0/24
We have a BIGIP located in DMZ 172.16.1.0/24. In this DMZ I've multiple servers:
- FTP: 172.16.1.1
- HTTP: 172.16.1.2
All DMZ Server are configured with default route to our Firewall (172.16.1.254)
When connected in VPN I'm not able to reach the DMZ Servers. We are not using Automap or SNAT in SSLVPN profile to keep a trace of original IP (192.168.250.x).
- So for the moment the SSL VPN packet destinated to my FTP server is sent to the F5 (SSL Tunnel Source: 192.168.250.1 to 172.16.1.1)
- F5 knows the subnet 172.16.1.1 and send the packet directly to the FTP server
- FTP server response to range 192.168.250.x via the default route (Firewall)
- Packet is dropped because of asymetric routing
Even the issue is well understood I don't know how to get rid of it... I assume that the design is not correct and I should find another way to implement it
Could you please share any suggestion ?
Nicolas