Design question incorporating a firewall

Question

Hi,&nbsp;I'm stuck with some questions about a design that includes a firewall. I have the following two possible setups, where situation 1 seems more lenient and situation 2 would always require changes to my firewall to permit traffic passing through onto my F5. My goal is to easily expand virtual servers with new external addresses (counting from 40.50.60.3).&nbsp;Questions regarding situation 1:What would my default route be for nodes in the 192.168.1.x network? My guess is 192.168.1.1 as they would use that for their default route and since SNAT auto-map on the F5 would set up a direct (stateful) connection, it would use the floating self IP on the egress VLAN;The F5 is a virtual appliance that has it's external VLAN untagged to interface 1.2 and external IP 40.50.60.3/29. How would I go about using 40.50.60.4 on the F5 to be used as a virtual server?; You should see the external connection as a layer 2 VLAN that is maintained by us.Would the default route for my F5 be 40.50.60.1? (if even required?)Questions regarding situation 2:What would my default route be for nodes in the 192.168.1.x network? My guess is the floating self IP, 192.168.1.246.&nbsp;Overall questions:Looking at the topologies; am I missing some design matters or other ideas?Which setup would you recommend?&nbsp;Thanks in advance,&nbsp;Dave

james_thomson · Answer

Questions regarding situation 1:What would my default route be for nodes in the 192.168.1.x network? YesMy guess is 192.168.1.1 as they would use that for their default route and since SNAT auto-map on the F5 would set up a direct (stateful) connection, it would use the floating self IP on the egress VLAN;CorrectThe F5 is a virtual appliance that has it's external VLAN untagged to interface 1.2 and external IP 40.50.60.3/29. How would I go about using 40.50.60.4 on the F5 to be used as a virtual server?; You should see the external connection as a layer 2 VLAN that is maintained by us.As long as the BIG-IP has a self-IP on the same subnet,then it exists on the network and you just add a virtual server with that address and it will just work.Would the default route for my F5 be 40.50.60.1? (if even required?)YesQuestions regarding situation 2:What would my default route be for nodes in the 192.168.1.x network? My guess is the floating self IP, 192.168.1.246.Yes&nbsp;Overall questions:Looking at the topologies; am I missing some design matters or other ideas?Which setup would you recommend?&nbsp;

davethoonsen · Answer

Thanks for the confirmation and explanation James.

Forum Discussion

Design question incorporating a firewall

2 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

LTM VE behind Sophos Firewall deployment - configuration/setup question

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two