Forum Discussion

Greg_130338's avatar
Greg_130338
Icon for Nimbostratus rankNimbostratus
Mar 25, 2015

Forwarding IP VS

When we first implemented APM for SSLVPN remote network access, we were told we needed to forwarding virtual server to allow the VPN clients to route back out to the Internet through the F5. A route was built and a fwd VS was set up that looks like this.

 

Type: Forward IP Source: any Destination: any All ports All VLANS Auto Map

 

Our BigIP's sit at the edge of the network connected to the router, not behind a firewall. My concern is that anyone can bounce traffic off the external interface of the BigIP with this VS enabled and proxy traffic from that external interface IP address. Am I understanding this correctly? In addition, wouldn't a better implementation be to just set a default route for the clients to go out our firewalls so they hit the rest of our security infrastructure for inspection of the traffic? Or is there a better way to limit the forwarding virtual server to only the clients in the network access lease pool?

 

Thanks for any input.

 

-GR

 

2 Replies

    • Am I understanding this correctly?

    yes, I believe you do.

     

    • In addition, wouldn't a better implementation be to just set a default route for the clients to go out our firewalls so they hit the rest of our security infrastructure for inspection of the traffic?

    sounds like a better plan

     

    • Or is there a better way to limit the forwarding virtual server to only the clients in the network access lease pool?

    you can use the source field to limit it to your better setup firewall environment.

     

  • Hi,

     

    you can also specify through which VLAN the traffic flow instead of allowing all vlans to communicate through VS .