Forum Discussion

Dustin_132959's avatar
Dustin_132959
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013

LTM - DMZ Routing

We have 2 VLANs setup for a specific partition on our LTM. One is for their production servers, the other is intended to act as a DMZ as there is a particular server that needs a lot of ports opened to it from the Internet. To reduce the security risk of opening so many ports to the production network, another VLAN was created for this server to sit on. However, this server still needs to access select devices on their production network, but only using 1 port. How can I allow communication from the server in the DMZ to specific devices on their production network? Is setting up Layer 4 virtual servers the only to acheive this without completely opening the communication between the two VLANs? Is there a way that I can allow communication between the 2 networks, but restrict what devices it has access to without creating a virtual server for every device this server needs to communicate with on the production network?

 

Any assistance is appreciated.

 

Thank you.

 

APM
big-ip ltm
design
dmz
security

3 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 04, 2013

    You could create a wildcard virtual server, enable it only on the DMZ VLAN and apply an access list as necessary?

     

  • Dustin_132959's avatar
    Dustin_132959
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013

    Thank you for your reply. What would the wildcard server point to, the entire subnet on the DMZ?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Sep 04, 2013

    How can I allow communication from the server in the DMZ to specific devices on their production network?

     

    just wondering if host virtual server (i.e. server in production network) with specific source setting (i.e. dmz server) is usable.