We are trying to separate the traffic flowing through the CSM module and being SSL-offloaded by SSLM modules. We have already decided that the best way to do that is to use the CSM in bridge mode and SSLM with the new, vrf aware software.
Unfortunately we found a problem when we tried to connect in the same way two systems which real servers should not be able to communicate with each other.
To do the SSL-offloading, with CSM in bridge mode, we have to create a dedicated vlan with L3 interface that is going to host real servers. When we connect two vlans in the same way those servers are able to communicate with each other via CSM.
This in not what we wanted, so we tried to enter an additional FW between the CSM and the real servers. When we tried to install L3 FW we had to enter static routing in the CSM server vlan pointing that the real servers can be reached via the outside ip address of the firewall.
The first problem is that with such a topology, the CSM in not routing the packets correctly (or is not routing packets at all). We opened all ip and icmp traffic on the firewall and we were not able to ping the real server from the router connected to the CSM client vlan.
In the second phase, we tried to install L2 firewall between the CSM and the real servers. Everything works but we had a problem with establishing the real server initiated connections.
We found a solution for this by using client NAT on the CSM.
Now everything works but it is really complicated and difficult to troubleshoot.
Does anybody know the easier way to provide separation of the traffic with using CSM and SSLM modules (except switching it to ACE :) or using dedicated interface on the servers for server initiated traffic).
I would appreciate any help.
If something is unclear please let me know.