Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACE configuration from DMZ Zone to Secure Zone

Hi ,

I am currently stuck with one LB implementation. I have one pair of LBs situated in DMZ zone which are load Balancing servers in secure zone as below :

internet - > External Firewall -> LB - > Application Servers

LBs are by passing internal firewall and inter VLAN routing is happening through LBs. Due to Security reasons I am complled to change the settings such that Traffic from LBs should pass through internal Firewall and then go to Application Servers and same should happen to return traffic .

What is the way out . I am looking at two options :

1. internt->external Firwal -> LB - internal Firewall -> Application Server : But I am not able to understand how to setup the routing in such a way that traffic is forwarded to internal firewall which then pass it on to Application Server. Is there any document available on this or any help ?

2. internet - > external Firewal -> LB ( Context1) -> internal Firewall - > LB ( Context 2) - > Application Server . In this case I want to create two context in same load Balancer one interfacing DMZ zone and other secure zone with on VIP each on both side . so DMZ Zone VIP will forward traffic to Secure Zone VIP  which will then pass on to Application servers and eturn. IS this type of configuration possible please guide.



Re: ACE configuration from DMZ Zone to Secure Zone

You have to use source NAT on the LB.

This is called a 1-arm design.

PS : putting LB and load balanced front end web servers in different security zones is a nonsense.

New Member

ACE configuration from DMZ Zone to Secure Zone

Hi Surya,

In this case there are no front end web servers . LBs are directly load balancing application servers.  So in this case how source NAT will help. In any case source NATing will happen on external firewall. please suggest.



ACE configuration from DMZ Zone to Secure Zone

Your LB will act as a reverse proxy for your application servers.

Your external firewall will NAT the VIP owned by the ACE. Then the ACE will NAT flows to forward them to the application servers through the firewall to route the traffic to the servers.

The servers will see the flows as they were sourced by the ACE.

CreatePlease to create content