Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
3
Replies

ACE configuration from DMZ Zone to Secure Zone

shivendu.singh
Level 1
Level 1

‎10-31-2011 11:08 AM

Hi ,

I am currently stuck with one LB implementation. I have one pair of LBs situated in DMZ zone which are load Balancing servers in secure zone as below :

internet - > External Firewall -> LB - > Application Servers

LBs are by passing internal firewall and inter VLAN routing is happening through LBs. Due to Security reasons I am complled to change the settings such that Traffic from LBs should pass through internal Firewall and then go to Application Servers and same should happen to return traffic .

What is the way out . I am looking at two options :

1. internt->external Firwal -> LB - internal Firewall -> Application Server : But I am not able to understand how to setup the routing in such a way that traffic is forwarded to internal firewall which then pass it on to Application Server. Is there any document available on this or any help ?

2. internet - > external Firewal -> LB ( Context1) -> internal Firewall - > LB ( Context 2) - > Application Server . In this case I want to create two context in same load Balancer one interfacing DMZ zone and other secure zone with on VIP each on both side . so DMZ Zone VIP will forward traffic to Secure Zone VIP  which will then pass on to Application servers and eturn. IS this type of configuration possible please guide.

Thanks

Labels:
0 Helpful
3 Replies 3

Surya ARBY
Level 4
Level 4

‎10-31-2011 02:01 PM

You have to use source NAT on the LB.

This is called a 1-arm design.

PS : putting LB and load balanced front end web servers in different security zones is a nonsense.

0 Helpful

shivendu.singh
Level 1
Level 1
In response to Surya ARBY

‎10-31-2011 02:49 PM

Hi Surya,

In this case there are no front end web servers . LBs are directly load balancing application servers.  So in this case how source NAT will help. In any case source NATing will happen on external firewall. please suggest.

Thanks

0 Helpful

Surya ARBY
Level 4
Level 4
In response to shivendu.singh

‎10-31-2011 03:01 PM

Your LB will act as a reverse proxy for your application servers.

Your external firewall will NAT the VIP owned by the ACE. Then the ACE will NAT flows to forward them to the application servers through the firewall to route the traffic to the servers.

The servers will see the flows as they were sourced by the ACE.

0 Helpful
Customers Also Viewed These Support Documents