Secure DMZ communication

Hi All

 

i have 3 couple dmz (redundant) switch and 2 firewalls (fw has 3 dmz interfaces) and i want implement with redundant bigip.

 

i attached the topology

 

i want to send dmz communication traffic over fw, it means when DMZ1 servers want to connect DMZ2 servers they will pass over firewalls (it will get accept or deny from fw)

 

for this scenario;

 

i will do like this;

 

client site networks

 

for dmz1 network 1.1.1.0/24

 

for dmz2 network 2.2.2.0/24

 

for dmz2 network 3.3.3.0/24

 

fw interface 1.1.1.254 2.2.2.254 3.3.3.254

 

bigip self ip 1.1.1.253 2.2.2.253 3.3.3.253

 

server side networks

 

for dmz1 4.4.4.0/24

 

for dmz2 5.5.5.0/24

 

for dmz3 6.6.6.0/24

 

bigip self ip 4.4.4.253 5.5.5.253 6.6.6.253

 

bigip configuration

 

fw_dmz1_pool 2.2.2.254:0 and 3.3.3.254:0

 

fw_dmz2_pool 1.1.1.254:0 and 3.3.3.254:0

 

fw_dmz3_pool 1.1.1.254:0 and 2.2.2.254:0

 

Vip (l4)

 

dest 4.4.4.0/24 enabled on vlan DMZ2 and DMZ3 pool fw_dmz1_pool

 

dest 5.5.5.0/24 enabled on vlan DMZ1 and DMZ3 pool fw_dmz2_pool

 

dest 6.6.6.0/24 enabled on vlan DMZ1 and DMZ2 pool fw_dmz3_pool

 

is this configuration coreect? anybody suggest another way?

 

can we get fast4 profile problem ? idletimeout etc....

 

any redundacy suggestions?

 

Note: i want use 1 interface port per DMZ i will do vlan tagging

 

 

regards

 

zafer