F5 Redirection over Public Networks
Hi,
I am trying to setup an F5 in this way and I am wondering where this is going wrong:
I have the F5 facing Internal netowrk and external network connected to a Firewall DMZ Interface facing the internet.
I created a public IP on the Firewall which NATs the traffic to the F5 BIG IP VIP which is in the External DMZ Interface conected to the Firewall
External NAT:
I created a new Public IP X.X.X.X on our Firewall and did a static NAT to 172.16.183.82 VIP
!
Firewall(config) static (DMZ,outside) X.X.X.X 172.16.183.82 netmask 255.255.255.255
!
Opened external access to the X.X.X.X IP for www and https
access-list acl_out extended permit tcp any host X.X.X.X eq www
access-list acl_out extended permit tcp any host X.X.X.X eq https
So when external users hits the X.X.X.X IP they are NAT by the Firewall to 172.16.183.82 which is the F5 VIP
I created:
Internal Vlan – Self IP 10.10.10.1 – Reachable from Internal network
External Vlan – Self IP 172.16.183.80 – Reachable from Firewall DMZ/Internet Firewall
Routes:
10.0.0.0 255.0.0.0 GW 10.10.10.1 (Internal Vlan Gateway)
0.0.0.0 0.0.0.0 GW 172.16.183.81 (FW DMZ Interface connected to F5 VIP External
HTTP Profile:
http_X-Forwarded-For inherited by http class with X-Forwarded Enabled
iRule:
redirect_rule
when HTTP_REQUEST {
switch "[string tolower [HTTP::uri]]" {
"/test" - "/test/" {
HTTP::redirect "http://test.domain.com/odt"
}
"/cims" - "/cims/" {
HTTP::redirect "http://test.domain.com/cims"
}
}
}
test.domain.com is a server in the Internal network for example 10.20.1.20
Virtual Server:
redirect_HTTP
VIP 172.16.183.82 (VIP is reachable from FW) with x-Forwarded Profile and SNAT AutoMap enabled on internal and external interface
Then I test the results on an external PC:
I go to:
When trying this from external network that does not have direct access to the Internal network test.domain.com it fails.
When trying this from internal network that has access to test.domain.com it works.
Seems like the redirect and NAT works, but the the test.domain.com is only able to reply if the request is sourced by an internal customer host and not from an external customer host.
I thought about something like Aasymettric routing, with the internal server not going trough the F5 to reply back to the external host after the redirect, however I do have SNAT enabled as AuoMap already