02-21-2013 10:18 PM
Hi All,
How can i divert traffic to F5 ASM (Web Application Firewall) before reach the real server?
access-list ANYONE line 8 extended permit ip any any
probe icmp ICMP
interval 2
faildetect 4
passdetect interval 4
passdetect count 4
probe tcp TCP_80
interval 2
faildetect 4
passdetect interval 4
passdetect count 4
rserver host F5_ASM_01
ip address 10.25.245.4
inservice
rserver host SSCP_01
ip address 10.26.74.21
inservice
rserver host SSCP_02
ip address 10.26.74.22
inservice
serverfarm host F5_ASM
transparent
failaction purge
predictor hash address source
probe ICMP
rserver F5_ASM_01
inservice
serverfarm host Web_farm
failaction purge
predictor hash address source
probe TCP_80
rserver SSCP_01
inservice
rserver SSCP_02
inservice
class-map match-all F5_VIP
2 match virtual-address 10.25.245.1 tcp eq www
class-map type management match-any Mgmt_class
2 match protocol icmp any
3 match protocol snmp any
4 match protocol telnet any
5 match protocol ssh any
class-map match-all Web_80_class
2 match virtual-address 172.20.133.100 tcp eq www
policy-map type management first-match Mgmt_policy
class Mgmt_class
permit
policy-map type loadbalance first-match F5_ASM_policy
class class-default
serverfarm F5_ASM backup Web_farm
policy-map type loadbalance first-match Web_policy
class class-default
serverfarm Web_farm
policy-map multi-match Accel_SLB_policy
class Web_80_class
loadbalance vip inservice
loadbalance policy F5_ASM_policy
loadbalance vip icmp-reply active
policy-map multi-match Web_SLB_policy
class F5_VIP
loadbalance vip inservice
loadbalance policy Web_policy
loadbalance vip icmp-reply active
service-policy input Mgmt_policy
access-group input ANYONE
interface vlan 271
description ### Client side ###
ip address 172.20.133.27 255.255.255.0
no normalization
mac-sticky enable
service-policy input Accel_SLB_policy
no shutdown
interface vlan 281
description ### F5 ASM side ###
ip address 10.25.245.10 255.255.255.0
no normalization
mac-sticky enable
service-policy input Web_SLB_policy
no shutdown
interface vlan 291
description ### Server side ###
ip address 10.26.74.2 255.255.255.0
no normalization
mac-sticky enable
no shutdown
DR-ACE-01/PORTAL-TIER1#
DR-ACE-01/PORTAL-TIER1# sh conn address 172.20.133.88 netmask 255.255.255.255
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
36750 1 in TCP 271 172.20.133.88:61234 172.20.133.100:80 ESTAB
35100 1 out TCP 281 172.20.133.100:80 172.20.133.88:61234 ESTAB
Missing in TCP 281 to out TCP 291....
F5 ASM point 10.25.245.1 (ACE VIP) as gateway.
Please help.
Thanks
YokeChuan
02-22-2013 12:58 AM
Hi,
I would suggest to pass the traffic to F5 first and then to ACE. Why would you need to pass traffic from ACE twice.
So I would suggest this way :
Client traffic on VLAN 10 >> Web application firewall VLAN 10 >>>> screens the traffic >>>> Pass it to Vlan 11
>>> VLAN 11 is forwarded to ACE >>> ACE load balance the traffic >>>> Pass it to vlan 12 ( server vlan)
regards,
Ajay Kumar
02-24-2013 09:54 PM
Hi Ajay,
Thanks for the reply and suggestion.
Current client production network, ACE are perform VIP loadbalance for existing server farm.
Client don't plan to modify current network setup. That why F5 ASM are setup to attach with ACE.
Are ACE able to handle this kind setup? (traffic pass ACE twice)
Thanks
YokeChuan
02-25-2013 12:00 AM
Hi Yoke,
It is possible. You just have to create two ACE context.
ACE context 1 -- Vlan 10 ( Client ) ---- Vlan 11 ( Web app firewall )
ACE context 2 -- VLAN 12 ( Web app firewall traffic ) --- Vlan 13 ( Serverfarm)
Also read the following :
By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to the VLANs.
When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.
To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
mac address autogenerate
regards,
Ajay Kumar
02-27-2013 01:23 AM
Hi Ajay,
Thanks for the reply.
I have create 2 context as suggested, but i still confuse on WAF routing.
Below are configuration file for Portal-Teir1 and Web-Server context.
DR-ACE-01/PORTAL-TIER1# sh run
Generating configuration....
access-list ANYONE line 8 extended permit ip any any
probe icmp ICMP
interval 2
faildetect 4
passdetect interval 4
passdetect count 4
rserver host F5_ASM_01
ip address 10.25.245.4
inservice
serverfarm host F5_ASM
transparent
failaction purge
predictor hash address source
probe ICMP
rserver F5_ASM_01
inservice
class-map type management match-any Mgmt_class
2 match protocol icmp any
3 match protocol snmp any
4 match protocol telnet any
5 match protocol ssh any
class-map match-all Web_80_class
2 match virtual-address 172.20.133.100 tcp eq www
policy-map type management first-match Mgmt_policy
class Mgmt_class
permit
policy-map type loadbalance first-match F5_ASM_policy
class class-default
serverfarm F5_ASM
policy-map multi-match Accel_SLB_policy
class Web_80_class
loadbalance vip inservice
loadbalance policy F5_ASM_policy
loadbalance vip icmp-reply active
service-policy input Mgmt_policy
access-group input ANYONE
interface vlan 271
description ### Client side ###
ip address 172.20.133.27 255.255.255.0
no normalization
mac-sticky enable
service-policy input Accel_SLB_policy
no shutdown
interface vlan 281
description ### F5 ASM side ###
ip address 10.25.245.10 255.255.255.0
no normalization
mac-sticky enable
mac-address autogenerate
no shutdown
DR-ACE-01/PORTAL-TIER1#
DR-ACE-01/WEB-Server# sh run
Generating configuration....
access-list ANYONE line 8 extended permit ip any any
probe tcp TCP_80
interval 2
faildetect 4
passdetect interval 4
passdetect count 4
rserver host SSCP_01
ip address 10.26.74.21
inservice
rserver host SSCP_02
ip address 10.26.74.22
inservice
serverfarm host Web_farm
failaction purge
predictor hash address source
probe TCP_80
rserver SSCP_01
inservice
rserver SSCP_02
inservice
class-map type management match-any Mgmt_class
2 match protocol icmp any
3 match protocol snmp any
4 match protocol telnet any
5 match protocol ssh any
class-map match-all Web_80_class
2 match virtual-address 10.26.75.100 tcp eq www
policy-map type management first-match Mgmt_policy
class Mgmt_class
permit
policy-map type loadbalance first-match Web_policy
class class-default
serverfarm Web_farm
policy-map multi-match Web_SLB_policy
class Web_80_class
loadbalance vip inservice
loadbalance policy Web_policy
loadbalance vip icmp-reply active
service-policy input Mgmt_policy
access-group input ANYONE
interface vlan 291
ip address 10.26.74.2 255.255.255.0
no normalization
no shutdown
interface vlan 292
ip address 10.26.75.2 255.255.255.0
no normalization
mac-sticky enable
service-policy input Web_SLB_policy
no shutdown
DR-ACE-01/WEB-Server#
Do i still need a VIP for VLAN 292?
WAF should route to VLAN 292 VIP or just a normal routing to interface?
Do you have any sample for reference?
Thanks in advanced.
Thanks
YokeChuan
02-27-2013 02:16 AM
Hi,
This should help you. The only thing which is different is you are not doing firewall load balancing. Rest everything will help you to configure in right way.
regards,
Ajay Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide