Forum Discussion

ethomas_116508's avatar
ethomas_116508
Icon for Nimbostratus rankNimbostratus
May 22, 2013

VLANs and Firewalls and things

2 seperate ISP's, each with its own Cisco ASA 5520 and VPN termination

 

BIGIP 4000 in HA Active/Standby

 

What is the correct/perferred method of implementation...ISP>>Firewall>>F5 or ISP>>F5 with firewall hanging off?

 

IF ISP>>Firewall>>F5 is the the way to go, how do I get the them on the same subnet, the firewall to to? External vlans were created for the ISP, F5 and FW to converge on their designated vlan ports on an unmanaged switch but we still can not get things to work properly...

 

6 Replies

  • You'd typically find this design in place: ISP > Firewall > F5

     

     

    From an IP perspective: ISP:Firewall would be one subnet, Firewall:F5 would be another subnet and you'd then have another subnet for the 'inside' of the F5. They shouldn't be on the same subnet ideally.

     

     

    Of course, this depends on how your ISP does it's addressing and how you are terminating the ISPs lines/equipment etc.
  • OK...thanks so very much. Can I assume that the same rules apply for a dual-homed ISP situation. We are doing failover with the F5 in HA active/standby.
  • I would say so yes, presumably you deal with the link redundancy etc. forward of the firewall. Of course, you could always use the F5 to provide the firewall functions too and save some money.
  • I've been talknig to management about elementing the FW's and putting the F5's on the edge for access, VPN, and firewall. We've had the ASA's for sometime now , just haven't put them into production. The fear is the VPN client and end-user experience. Everyone's familiar with Cisco AnyConnect.

     

    Thanks so very much for all of your assistance on this. We originally had the FW and F5 and ISP converging in a unmanaged switch into vlans but I could never get the traffic to go through the F5. The subnets makes total sense now.

     

  • I finally got the subnet between the firewall and the F5 "talking". Question, where do I NAT make it so that internet traffic goes through the F5 and then the FW? I did as you said..ISP>FW> F5.